diff options
58 files changed, 3543 insertions, 2155 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 32321aa94..708e330e1 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -81,8 +81,8 @@ static json_object *jArray_topStats; static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; /** User preferences **/ -u_int8_t enable_protocol_guess = 1; -u_int8_t verbose = 0, json_flag = 0; +u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0; +u_int8_t verbose = 0, json_flag = 0, enable_joy_stats = 0; int nDPI_LogLevel = 0; char *_debug_protocols = NULL; static u_int8_t stats_flag = 0, bpf_filter_flag = 0; @@ -90,6 +90,7 @@ static u_int8_t stats_flag = 0, bpf_filter_flag = 0; static u_int8_t file_first_time = 1; #endif u_int8_t human_readeable_string_len = 5; +u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 10; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; @@ -212,6 +213,8 @@ static int dpdk_port_id = 0, dpdk_run_capture = 1; void test_lib(); /* Forward */ +extern void ndpi_report_payload_stats(); + /* ********************************** */ #ifdef DEBUG_TRACE @@ -225,6 +228,110 @@ FILE *trace = NULL; */ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle); +static void reduceBDbits(uint32_t *bd, unsigned int len) { + int mask = 0; + int shift = 0; + unsigned int i = 0; + + for(i = 0; i < len; i++) + mask = mask | bd[i]; + + mask = mask >> 8; + for(i = 0; i < 24 && mask; i++) { + mask = mask >> 1; + if (mask == 0) { + shift = i+1; + break; + } + } + + for(i = 0; i < len; i++) + bd[i] = bd[i] >> shift; +} + +/** + * @brief Get flow byte distribution mean and variance + */ +static void +flowGetBDMeanandVariance(struct ndpi_flow_info* flow) { + FILE *out = results_file ? results_file : stdout; + + const uint32_t *array = NULL; + uint32_t tmp[256], i; + unsigned int num_bytes; + double mean = 0.0, variance = 0.0; + + fflush(out); + + /* + * Sum up the byte_count array for outbound and inbound flows, + * if this flow is bidirectional + */ + if (!flow->bidirectional) { + array = flow->src2dst_byte_count; + num_bytes = flow->src2dst_l4_bytes; + for (i=0; i<256; i++) { + tmp[i] = flow->src2dst_byte_count[i]; + } + + if (flow->src2dst_num_bytes != 0) { + mean = flow->src2dst_bd_mean; + variance = flow->src2dst_bd_variance/(flow->src2dst_num_bytes - 1); + variance = sqrt(variance); + + if (flow->src2dst_num_bytes == 1) { + variance = 0.0; + } + } + } else { + for (i=0; i<256; i++) { + tmp[i] = flow->src2dst_byte_count[i] + flow->dst2src_byte_count[i]; + } + array = tmp; + num_bytes = flow->src2dst_l4_bytes + flow->dst2src_l4_bytes; + + if (flow->src2dst_num_bytes + flow->dst2src_num_bytes != 0) { + mean = ((double)flow->src2dst_num_bytes)/((double)(flow->src2dst_num_bytes+flow->dst2src_num_bytes))*flow->src2dst_bd_mean + + ((double)flow->dst2src_num_bytes)/((double)(flow->dst2src_num_bytes+flow->src2dst_num_bytes))*flow->dst2src_bd_mean; + + variance = ((double)flow->src2dst_num_bytes)/((double)(flow->src2dst_num_bytes+flow->dst2src_num_bytes))*flow->src2dst_bd_variance + + ((double)flow->dst2src_num_bytes)/((double)(flow->dst2src_num_bytes+flow->src2dst_num_bytes))*flow->dst2src_bd_variance; + + variance = variance/((double)(flow->src2dst_num_bytes + flow->dst2src_num_bytes - 1)); + variance = sqrt(variance); + if (flow->src2dst_num_bytes + flow->dst2src_num_bytes == 1) { + variance = 0.0; + } + } + } + + if(enable_joy_stats) { + if(verbose > 1) { + reduceBDbits(tmp, 256); + array = tmp; + + fprintf(out, " [byte_dist: "); + for(i = 0; i < 255; i++) + fprintf(out, "%u,", (unsigned char)array[i]); + + fprintf(out, "%u]", (unsigned char)array[i]); + } + + /* Output the mean */ + if(num_bytes != 0) { + fprintf(out, "][byte_dist_mean: %f", mean); + fprintf(out, "][byte_dist_std: %f]", variance); + } + + if(num_bytes != 0) { + double entropy = ndpi_flow_get_byte_count_entropy(array, num_bytes); + + fprintf(out, "[entropy: %f]", entropy); + fprintf(out, "[total_entropy: %f]", entropy * num_bytes); + } + } +} + /** * @brief Print help instructions */ @@ -236,8 +343,9 @@ static void help(u_int long_help) { "-i <file|device> " #endif "[-f <filter>][-s <duration>][-m <duration>]\n" - " [-p <protos>][-l <loops> [-q][-d][-h][-e <len>][-t][-v <level>]\n" - " [-n <threads>][-w <file>][-c <file>][-j <file>][-x <file>]\n\n" + " [-p <protos>][-l <loops> [-q][-d][-J][-h][-e <len>][-t][-v <level>]\n" + " [-n <threads>][-w <file>][-c <file>][-j <file>][-x <file>]\n" + " [-T <num>][-U <num>]\n\n" "Usage:\n" " -i <file.pcap|device> | Specify a pcap file/playlist to read packets from or a\n" " | device for live capture (comma-separated list)\n" @@ -255,7 +363,10 @@ static void help(u_int long_help) { " -d | Disable protocol guess and use only DPI\n" " -e <len> | Min human readeable string match len. Default %u\n" " -q | Quiet mode\n" + " -J | Display flow SPLT (sequence of packet length and time)\n" + " | and BD (byte distribution). See https://github.com/cisco/joy\n" " -t | Dissect GTP/TZSP tunnels\n" + " -P | Enable payload analysis\n" " -r | Print nDPI version and git revision\n" " -c <path> | Load custom categories from the specified file\n" " -w <path> | Write test output on the specified file. This is useful for\n" @@ -270,8 +381,13 @@ static void help(u_int long_help) { " | >3 - full debug + dbg_proto = all\n" " -b <file.json> | Specify a file to write port based diagnose statistics\n" " -x <file.json> | Produce bpf filters for specified diagnose file. Use\n" - " | this option only for .json files generated with -b flag.\n", - human_readeable_string_len); + " | this option only for .json files generated with -b flag.\n" + " -T <num> | Max number of TCP processed packets before giving up [default: %u]\n" + " -U <num> | Max number of UDP processed packets before giving up [default: %u]\n" + , + human_readeable_string_len, + max_num_tcp_dissected_pkts, + max_num_udp_dissected_pkts); #ifndef WIN32 printf("\nExcap (wireshark) options:\n" @@ -327,6 +443,8 @@ static struct option longopts[] = { { "version", no_argument, NULL, 'V'}, { "help", no_argument, NULL, 'h'}, { "json", required_argument, NULL, 'j'}, + { "joy", required_argument, NULL, 'J'}, + { "payload-analysis", required_argument, NULL, 'P'}, { "result-path", required_argument, NULL, 'w'}, { "quiet", no_argument, NULL, 'q'}, @@ -477,7 +595,8 @@ static void parseOptions(int argc, char **argv) { } #endif - while((opt = getopt_long(argc, argv, "e:c:df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:b:x:", longopts, &option_idx)) != EOF) { + while((opt = getopt_long(argc, argv, "e:c:df:g:i:hp:Pl:s:tv:V:n:j:Jrp:w:q0123:456:7:89:m:b:x:T:U:", + longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); #endif @@ -573,6 +692,14 @@ static void parseOptions(int argc, char **argv) { help(1); break; + case 'J': + enable_joy_stats = 1; + break; + + case 'P': + enable_payload_analyzer = 1; + break; + case 'j': #ifndef HAVE_JSON_C printf("WARNING: this copy of ndpiReader has been compiled without json-c: JSON export disabled\n"); @@ -634,6 +761,16 @@ static void parseOptions(int argc, char **argv) { _debug_protocols = strdup(optarg); break; + case 'T': + max_num_tcp_dissected_pkts = atoi(optarg); + if(max_num_tcp_dissected_pkts < 3) max_num_tcp_dissected_pkts = 3; + break; + + case 'U': + max_num_udp_dissected_pkts = atoi(optarg); + if(max_num_udp_dissected_pkts < 3) max_num_udp_dissected_pkts = 3; + break; + default: help(0); break; @@ -721,12 +858,12 @@ static char* ipProto2Name(u_int16_t proto_id) { /* ********************************** */ +#if 0 /** * @brief A faster replacement for inet_ntoa(). */ char* intoaV4(u_int32_t addr, char* buf, u_int16_t bufLen) { - char *cp, *retStr; - uint byte; + char *cp; int n; cp = &buf[bufLen]; @@ -734,7 +871,8 @@ char* intoaV4(u_int32_t addr, char* buf, u_int16_t bufLen) { n = 4; do { - byte = addr & 0xff; + u_int byte = addr & 0xff; + *--cp = byte % 10 + '0'; byte /= 10; if(byte > 0) { @@ -743,15 +881,14 @@ char* intoaV4(u_int32_t addr, char* buf, u_int16_t bufLen) { if(byte > 0) *--cp = byte + '0'; } - *--cp = '.'; + if(n > 1) + *--cp = '.'; addr >>= 8; - } while(--n > 0); + } while (--n > 0); - /* Convert the string to lowercase */ - retStr = (char*)(cp+1); - - return(retStr); + return(cp); } +#endif /* ********************************** */ @@ -799,6 +936,13 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); + if(enable_joy_stats) { + /* Print entropy values for monitored flows. */ + flowGetBDMeanandVariance(flow); + fflush(out); + fprintf(out, "[score: %.4f]", flow->score); + } + if(flow->detected_protocol.master_protocol) { char buf[64]; @@ -826,15 +970,19 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); - if(flow->ssh_ssl.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_ssl.ssl_version)); - if(flow->ssh_ssl.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_ssl.ja3_client, - print_cipher(flow->ssh_ssl.client_unsafe_cipher)); - if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); - - if(flow->ssh_ssl.ja3_server[0] != '\0') fprintf(out, "[JA3S: %s%s]", flow->ssh_ssl.ja3_server, - print_cipher(flow->ssh_ssl.server_unsafe_cipher)); - if(flow->ssh_ssl.server_organization[0] != '\0') fprintf(out, "[organization: %s]", flow->ssh_ssl.server_organization); - if(flow->ssh_ssl.server_cipher != '\0') fprintf(out, "[Cipher: %s]", ndpi_cipher2str(flow->ssh_ssl.server_cipher)); + if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version)); + if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_tls.client_info); + if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh); + + if(flow->ssh_tls.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_tls.ja3_client, + print_cipher(flow->ssh_tls.client_unsafe_cipher)); + if(flow->ssh_tls.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_tls.server_info); + if(flow->ssh_tls.server_hassh[0] != '\0') fprintf(out, "[HASSH-S: %s]", flow->ssh_tls.server_hassh); + + if(flow->ssh_tls.ja3_server[0] != '\0') fprintf(out, "[JA3S: %s%s]", flow->ssh_tls.ja3_server, + print_cipher(flow->ssh_tls.server_unsafe_cipher)); + if(flow->ssh_tls.server_organization[0] != '\0') fprintf(out, "[organization: %s]", flow->ssh_tls.server_organization); + if(flow->ssh_tls.server_cipher != '\0') fprintf(out, "[Cipher: %s]", ndpi_cipher2str(flow->ssh_tls.server_cipher)); if(flow->bittorent_hash[0] != '\0') fprintf(out, "[BT Hash: %s]", flow->bittorent_hash); if(flow->dhcp_fingerprint[0] != '\0') fprintf(out, "[DHCP Fingerprint: %s]", flow->dhcp_fingerprint); @@ -881,25 +1029,25 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->host_server_name[0] != '\0') json_object_object_add(jObj,"host.server.name",json_object_new_string(flow->host_server_name)); - if((flow->ssh_ssl.client_info[0] != '\0') || (flow->ssh_ssl.server_info[0] != '\0')) { + if((flow->ssh_tls.client_info[0] != '\0') || (flow->ssh_tls.server_info[0] != '\0')) { json_object *sjObj = json_object_new_object(); - if(flow->ssh_ssl.ja3_server[0] != '\0') - json_object_object_add(jObj,"ja3s",json_object_new_string(flow->ssh_ssl.ja3_server)); + if(flow->ssh_tls.ja3_server[0] != '\0') + json_object_object_add(jObj,"ja3s",json_object_new_string(flow->ssh_tls.ja3_server)); - if(flow->ssh_ssl.ja3_client[0] != '\0') - json_object_object_add(jObj,"ja3c",json_object_new_string(flow->ssh_ssl.ja3_client)); + if(flow->ssh_tls.ja3_client[0] != '\0') + json_object_object_add(jObj,"ja3c",json_object_new_string(flow->ssh_tls.ja3_client)); - if(flow->ssh_ssl.ja3_server[0] != '\0') - json_object_object_add(jObj,"host.server.ja3",json_object_new_string(flow->ssh_ssl.ja3_server)); + if(flow->ssh_tls.ja3_server[0] != '\0') + json_object_object_add(jObj,"host.server.ja3",json_object_new_string(flow->ssh_tls.ja3_server)); - if(flow->ssh_ssl.client_info[0] != '\0') - json_object_object_add(sjObj, "client", json_object_new_string(flow->ssh_ssl.client_info)); + if(flow->ssh_tls.client_info[0] != '\0') + json_object_object_add(sjObj, "client", json_object_new_string(flow->ssh_tls.client_info)); - if(flow->ssh_ssl.server_info[0] != '\0') - json_object_object_add(sjObj, "server", json_object_new_string(flow->ssh_ssl.server_info)); + if(flow->ssh_tls.server_info[0] != '\0') + json_object_object_add(sjObj, "server", json_object_new_string(flow->ssh_tls.server_info)); - json_object_object_add(jObj, "ssh_ssl", sjObj); + json_object_object_add(jObj, "ssh_tls", sjObj); } if(json_flag == 1) @@ -1944,6 +2092,9 @@ void printPortStats(struct port_stats *stats) { /* *********************************************** */ static void printFlowsStats() { + if(enable_payload_analyzer) + ndpi_report_payload_stats(); + if(verbose) { int thread_id; FILE *out = results_file ? results_file : stdout; @@ -1982,7 +2133,7 @@ static void printFlowsStats() { ndpi_ja3_fingerprints_host *hostByJA3Found = NULL; //check if this is a ssh-ssl flow - if(all_flows[i].flow->ssh_ssl.ja3_client[0] != '\0'){ + if(all_flows[i].flow->ssh_tls.ja3_client[0] != '\0'){ //looking if the host is already in the hash table HASH_FIND_INT(ja3ByHostsHashT, &(all_flows[i].flow->src_ip), ja3ByHostFound); @@ -1994,11 +2145,11 @@ static void printFlowsStats() { newHost->host_server_info_hasht = NULL; newHost->ip_string = all_flows[i].flow->src_name; newHost->ip = all_flows[i].flow->src_ip; - newHost->dns_name = all_flows[i].flow->ssh_ssl.client_info; + newHost->dns_name = all_flows[i].flow->ssh_tls.client_info; ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info)); - newJA3->ja3 = all_flows[i].flow->ssh_ssl.ja3_client; - newJA3->unsafe_cipher = all_flows[i].flow->ssh_ssl.client_unsafe_cipher; + newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client; + newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.client_unsafe_cipher; //adding the new ja3 fingerprint HASH_ADD_KEYPTR(hh, newHost->host_client_info_hasht, newJA3->ja3, strlen(newJA3->ja3), newJA3); @@ -2009,29 +2160,29 @@ static void printFlowsStats() { ndpi_ja3_info *infoFound = NULL; HASH_FIND_STR(ja3ByHostFound->host_client_info_hasht, - all_flows[i].flow->ssh_ssl.ja3_client, infoFound); + all_flows[i].flow->ssh_tls.ja3_client, infoFound); if(infoFound == NULL){ ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info)); - newJA3->ja3 = all_flows[i].flow->ssh_ssl.ja3_client; - newJA3->unsafe_cipher = all_flows[i].flow->ssh_ssl.client_unsafe_cipher; + newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client; + newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.client_unsafe_cipher; HASH_ADD_KEYPTR(hh, ja3ByHostFound->host_client_info_hasht, newJA3->ja3, strlen(newJA3->ja3), newJA3); } } //ja3 -> host ip - HASH_FIND_STR(hostByJA3C_ht, all_flows[i].flow->ssh_ssl.ja3_client, hostByJA3Found); + HASH_FIND_STR(hostByJA3C_ht, all_flows[i].flow->ssh_tls.ja3_client, hostByJA3Found); if(hostByJA3Found == NULL){ ndpi_ip_dns *newHost = malloc(sizeof(ndpi_ip_dns)); newHost->ip = all_flows[i].flow->src_ip; newHost->ip_string = all_flows[i].flow->src_name; - newHost->dns_name = all_flows[i].flow->ssh_ssl.client_info;; + newHost->dns_name = all_flows[i].flow->ssh_tls.client_info;; ndpi_ja3_fingerprints_host *newElement = malloc(sizeof(ndpi_ja3_fingerprints_host)); - newElement->ja3 = all_flows[i].flow->ssh_ssl.ja3_client; - newElement->unsafe_cipher = all_flows[i].flow->ssh_ssl.client_unsafe_cipher; + newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_client; + newElement->unsafe_cipher = all_flows[i].flow->ssh_tls.client_unsafe_cipher; newElement->ipToDNS_ht = NULL; HASH_ADD_INT(newElement->ipToDNS_ht, ip, newHost); @@ -2044,13 +2195,13 @@ static void printFlowsStats() { ndpi_ip_dns *newInnerElement = malloc(sizeof(ndpi_ip_dns)); newInnerElement->ip = all_flows[i].flow->src_ip; newInnerElement->ip_string = all_flows[i].flow->src_name; - newInnerElement->dns_name = all_flows[i].flow->ssh_ssl.client_info; + newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_info; HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement); } } } - if(all_flows[i].flow->ssh_ssl.ja3_server[0] != '\0'){ + if(all_flows[i].flow->ssh_tls.ja3_server[0] != '\0'){ //looking if the host is already in the hash table HASH_FIND_INT(ja3ByHostsHashT, &(all_flows[i].flow->dst_ip), ja3ByHostFound); if(ja3ByHostFound == NULL){ @@ -2060,11 +2211,11 @@ static void printFlowsStats() { newHost->host_server_info_hasht = NULL; newHost->ip_string = all_flows[i].flow->dst_name; newHost->ip = all_flows[i].flow->dst_ip; - newHost->dns_name = all_flows[i].flow->ssh_ssl.server_info; + newHost->dns_name = all_flows[i].flow->ssh_tls.server_info; ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info)); - newJA3->ja3 = all_flows[i].flow->ssh_ssl.ja3_server; - newJA3->unsafe_cipher = all_flows[i].flow->ssh_ssl.server_unsafe_cipher; + newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_server; + newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.server_unsafe_cipher; //adding the new ja3 fingerprint HASH_ADD_KEYPTR(hh, newHost->host_server_info_hasht, newJA3->ja3, strlen(newJA3->ja3), newJA3); @@ -2074,27 +2225,27 @@ static void printFlowsStats() { //host already in the hashtable ndpi_ja3_info *infoFound = NULL; HASH_FIND_STR(ja3ByHostFound->host_server_info_hasht, - all_flows[i].flow->ssh_ssl.ja3_server, infoFound); + all_flows[i].flow->ssh_tls.ja3_server, infoFound); if(infoFound == NULL){ ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info)); - newJA3->ja3 = all_flows[i].flow->ssh_ssl.ja3_server; - newJA3->unsafe_cipher = all_flows[i].flow->ssh_ssl.server_unsafe_cipher; + newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_server; + newJA3->unsafe_cipher = all_flows[i].flow->ssh_tls.server_unsafe_cipher; HASH_ADD_KEYPTR(hh, ja3ByHostFound->host_server_info_hasht, newJA3->ja3, strlen(newJA3->ja3), newJA3); } } - HASH_FIND_STR(hostByJA3S_ht, all_flows[i].flow->ssh_ssl.ja3_server, hostByJA3Found); + HASH_FIND_STR(hostByJA3S_ht, all_flows[i].flow->ssh_tls.ja3_server, hostByJA3Found); if(hostByJA3Found == NULL){ ndpi_ip_dns *newHost = malloc(sizeof(ndpi_ip_dns)); newHost->ip = all_flows[i].flow->dst_ip; newHost->ip_string = all_flows[i].flow->dst_name; - newHost->dns_name = all_flows[i].flow->ssh_ssl.server_info;; + newHost->dns_name = all_flows[i].flow->ssh_tls.server_info;; ndpi_ja3_fingerprints_host *newElement = malloc(sizeof(ndpi_ja3_fingerprints_host)); - newElement->ja3 = all_flows[i].flow->ssh_ssl.ja3_server; - newElement->unsafe_cipher = all_flows[i].flow->ssh_ssl.server_unsafe_cipher; + newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_server; + newElement->unsafe_cipher = all_flows[i].flow->ssh_tls.server_unsafe_cipher; newElement->ipToDNS_ht = NULL; HASH_ADD_INT(newElement->ipToDNS_ht, ip, newHost); @@ -2108,7 +2259,7 @@ static void printFlowsStats() { ndpi_ip_dns *newInnerElement = malloc(sizeof(ndpi_ip_dns)); newInnerElement->ip = all_flows[i].flow->dst_ip; newInnerElement->ip_string = all_flows[i].flow->dst_name; - newInnerElement->dns_name = all_flows[i].flow->ssh_ssl.server_info; + newInnerElement->dns_name = all_flows[i].flow->ssh_tls.server_info; HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement); } } @@ -3094,10 +3245,11 @@ void serializerUnitTest() { assert(ndpi_serialize_uint32_string(&serializer, i, "Hello") != -1); assert(ndpi_serialize_string_string(&serializer, kbuf, vbuf) != -1); assert(ndpi_serialize_string_uint32(&serializer, kbuf, i*i) != -1); + assert(ndpi_serialize_string_float(&serializer, kbuf, (float)(i*i), "%f") != -1); } if(trace) - printf("Serialization size: %u/%u\n", serializer.size_used, serializer.buffer_size); + printf("Serialization size: %u\n", ndpi_serializer_get_buffer_len(&serializer)); assert(ndpi_init_deserializer(&deserializer, &serializer) != -1); @@ -3109,7 +3261,8 @@ void serializerUnitTest() { else { u_int32_t k32, v32; ndpi_string ks, vs; - + float vf; + switch(et) { case ndpi_serialization_uint32_uint32: assert(ndpi_deserialize_uint32_uint32(&deserializer, &k32, &v32) != -1); @@ -3149,6 +3302,17 @@ void serializerUnitTest() { } break; + case ndpi_serialization_string_float: + assert(ndpi_deserialize_string_float(&deserializer, &ks, &vf) != -1); + if(trace) { + u_int8_t bkpk = ks.str[ks.str_len]; + + ks.str[ks.str_len] = '\0'; + printf("%s=%f\n", ks.str, vf); + ks.str[ks.str_len] = bkpk; + } + break; + default: printf("serializerUnitTest: unsupported type %u detected!\n", et); return; diff --git a/example/reader_util.c b/example/reader_util.c index d0ec31930..b8e21cce8 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -34,6 +34,8 @@ #else #include <unistd.h> #include <netinet/in.h> +#include <math.h> +#include <float.h> #endif #ifndef ETH_P_IP @@ -73,9 +75,158 @@ #include "ndpi_main.h" #include "reader_util.h" +#include "ndpi_classify.h" -extern u_int8_t enable_protocol_guess; +extern u_int8_t enable_protocol_guess, enable_joy_stats, enable_payload_analyzer; extern u_int8_t verbose, human_readeable_string_len; +extern u_int8_t max_num_udp_dissected_pkts /* 8 */, max_num_tcp_dissected_pkts /* 10 */; + +static u_int32_t flow_id = 0; + +/* ****************************************************** */ + +struct payload_stats { + u_int8_t *pattern; + u_int8_t pattern_len; + u_int16_t num_occurrencies; + UT_hash_handle hh; /* makes this structure hashable */ +}; + + +struct payload_stats *pstats = NULL; +u_int32_t max_num_packets_per_flow = 32; +u_int32_t max_packet_payload_dissection = 32; /* Full payload */ +u_int16_t min_pattern_len = 4; +u_int16_t max_pattern_len = 8; + + +void ndpi_analyze_payload(struct ndpi_flow_info *flow, + u_int8_t src_to_dst_direction, + u_int8_t *payload, + u_int16_t payload_len) { + struct payload_stats *ret; + u_int i; + +#ifdef DEBUG_PAYLOAD + for(i=0; i<payload_len; i++) + printf("%c", isprint(payload[i]) ? payload[i] : '.'); + printf("\n"); +#endif + + HASH_FIND(hh, pstats, payload, payload_len, ret); + if(ret == NULL) { + if((ret = (struct payload_stats*)calloc(1, sizeof(struct payload_stats))) == NULL) + return; /* OOM */ + + if((ret->pattern = (u_int8_t*)malloc(payload_len)) == NULL) { + free(ret); + return; + } + + memcpy(ret->pattern, payload, payload_len); + ret->pattern_len = payload_len; + ret->num_occurrencies = 1; + + HASH_ADD(hh, pstats, pattern[0], payload_len, ret); + +#ifdef DEBUG_PAYLOAD + printf("Added element [total: %u]\n", HASH_COUNT(pstats)); +#endif + } else { + ret->num_occurrencies++; + // printf("==> %u\n", ret->num_occurrencies); + } +} + + +void ndpi_payload_analyzer(struct ndpi_flow_info *flow, + u_int8_t src_to_dst_direction, + u_int8_t *payload, u_int16_t payload_len) { + u_int16_t i, j; + u_int16_t scan_len = ndpi_min(max_packet_payload_dissection, payload_len); + + if((flow->src2dst_pkt_count+flow->dst2src_pkt_count) < max_num_packets_per_flow) { +#ifdef DEBUG_PAYLOAD + printf("[hashval: %u][proto: %u][vlan: %u][%s:%u <-> %s:%u][direction: %s][payload_len: %u]\n", + flow->hashval, flow->protocol, flow->vlan_id, + flow->src_name, flow->src_port, + flow->dst_name, flow->dst_port, + src_to_dst_direction ? "s2d" : "d2s", + payload_len); +#endif + } else + return; + + for(i=0; i<scan_len; i++) { + for(j=min_pattern_len; j <= max_pattern_len; j++) { + if((i+j) < payload_len) { + ndpi_analyze_payload(flow, src_to_dst_direction, &payload[i], j); + ndpi_analyze_payload(flow, src_to_dst_direction, &payload[i], j); + } + } + } +} + +/* ***************************************************** */ + +static int payload_stats_sort_asc(void *_a, void *_b) { + struct payload_stats *a = (struct payload_stats *)_a; + struct payload_stats *b = (struct payload_stats *)_b; + + //return(a->num_occurrencies - b->num_occurrencies); + return(b->num_occurrencies - a->num_occurrencies); +} + +/* ***************************************************** */ + +void print_payload_stat(struct payload_stats *p) { + u_int i; + + printf("\t["); + + for(i=0; i<p->pattern_len; i++) { + printf("%c", isprint(p->pattern[i]) ? p->pattern[i] : '.'); + } + + printf("]"); + for(; i<16; i++) printf(" "); + printf("["); + + for(i=0; i<p->pattern_len; i++) { + printf("%s%02X", (i > 0) ? " " : "", isprint(p->pattern[i]) ? p->pattern[i] : '.'); + } + + printf("]"); + + for(; i<16; i++) printf(" "); + for(i=p->pattern_len; i<max_pattern_len; i++) printf(" "); + + printf("[len: %u][num_occurrencies: %u]\n", + p->pattern_len, p->num_occurrencies); +} + +/* ***************************************************** */ + +void ndpi_report_payload_stats() { + struct payload_stats *p, *tmp; + u_int num = 0, max_num = 25; + + printf("\n\nPayload Analysis\n"); + + HASH_SORT(pstats, payload_stats_sort_asc); + + HASH_ITER(hh, pstats, p, tmp) { + if(num <= max_num) + print_payload_stat(p); + + free(p->pattern); + HASH_DEL(pstats, p); + free(p); + num++; + } +} + + /* ***************************************************** */ @@ -273,6 +424,94 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { return(0); /* notreached */ } +/** + * \brief Update the byte count for the flow record. + * \param f Flow data + * \param x Data to use for update + * \param len Length of the data (in bytes) + * \return none + */ +static void +ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, + unsigned int len, u_int8_t src_to_dst_direction) { + const unsigned char *data = x; + u_int32_t i; + u_int32_t current_count = 0; + + /* + * implementation note: The spec says that 4000 octets is enough of a + * sample size to accurately reflect the byte distribution. Also, to avoid + * wrapping of the byte count at the 16-bit boundry, we stop counting once + * the 4000th octet has been seen for a flow. + */ + + /* octet count was already incremented before processing this payload */ + if (src_to_dst_direction) { + current_count = flow->src2dst_l4_bytes - len; + } else { + current_count = flow->dst2src_l4_bytes - len; + } + + if (current_count < ETTA_MIN_OCTETS) { + for (i=0; i<len; i++) { + if (src_to_dst_direction) { + flow->src2dst_byte_count[data[i]]++; + } else { + flow->dst2src_byte_count[data[i]]++; + } + current_count++; + if (current_count >= ETTA_MIN_OCTETS) { + break; + } + } + } +} + +/** + * \brief Update the byte distribution mean for the flow record. + * \param f Flow record + * \param x Data to use for update + * \param len Length of the data (in bytes) + * \return none + */ +static void +ndpi_flow_update_byte_dist_mean_var(ndpi_flow_info_t *flow, const void *x, + unsigned int len, u_int8_t src_to_dst_direction) { + const unsigned char *data = x; + double delta; + unsigned int i; + + for (i=0; i<len; i++) { + if (src_to_dst_direction) { + flow->src2dst_num_bytes += 1; + delta = ((double)data[i] - flow->src2dst_bd_mean); + flow->src2dst_bd_mean += delta/((double)flow->src2dst_num_bytes); + flow->src2dst_bd_variance += delta*((double)data[i] - flow->src2dst_bd_mean); + } else { + flow->dst2src_num_bytes += 1; + delta = ((double)data[i] - flow->dst2src_bd_mean); + flow->dst2src_bd_mean += delta/((double)flow->dst2src_num_bytes); + flow->dst2src_bd_variance += delta*((double)data[i] - flow->dst2src_bd_mean); + } + } +} + +float +ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], + unsigned int num_bytes) +{ + int i; + float tmp, sum = 0.0; + + for (i=0; i<256; i++) { + tmp = (float) byte_count[i] / (float) num_bytes; + if (tmp > FLT_EPSILON) { + sum -= tmp * logf(tmp); + } + } + return sum / logf(2.0); +} + /* ***************************************************** */ static void patchIPv6Address(char *str) { @@ -309,11 +548,13 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow u_int8_t *proto, u_int8_t **payload, u_int16_t *payload_len, - u_int8_t *src_to_dst_direction) { + u_int8_t *src_to_dst_direction, + struct timeval when) { u_int32_t idx, l4_offset, hashval; struct ndpi_flow_info flow; void *ret; const u_int8_t *l3, *l4; + u_int32_t l4_data_len = 0XFEEDFACE; /* Note: to keep things simple (ndpiReader is just a demo app) @@ -363,6 +604,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow tcp_len = ndpi_min(4*(*tcph)->doff, l4_packet_len); *payload = (u_int8_t*)&l4[tcp_len]; *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); + l4_data_len = l4_packet_len - sizeof(struct ndpi_tcphdr); } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= 8) { // udp @@ -371,9 +613,11 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *sport = ntohs((*udph)->source), *dport = ntohs((*udph)->dest); *payload = (u_int8_t*)&l4[sizeof(struct ndpi_udphdr)]; *payload_len = (l4_packet_len > sizeof(struct ndpi_udphdr)) ? l4_packet_len-sizeof(struct ndpi_udphdr) : 0; + l4_data_len = l4_packet_len - sizeof(struct ndpi_udphdr); } else { // non tcp/udp protocols *sport = *dport = 0; + l4_data_len = 0; } flow.protocol = iph->protocol, flow.vlan_id = vlan_id; @@ -418,6 +662,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow workflow->num_allocated_flows++; memset(newflow, 0, sizeof(struct ndpi_flow_info)); + newflow->flow_id = flow_id++; newflow->hashval = hashval; newflow->protocol = iph->protocol, newflow->vlan_id = vlan_id; newflow->src_ip = iph->saddr, newflow->dst_ip = iph->daddr; @@ -459,7 +704,15 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow workflow->stats.ndpi_flow_count++; *src = newflow->src_id, *dst = newflow->dst_id; - + newflow->src2dst_pkt_len[newflow->src2dst_pkt_count] = l4_packet_len; + newflow->src2dst_pkt_time[newflow->src2dst_pkt_count] = when; + if (newflow->src2dst_pkt_count == 0) { + newflow->src2dst_start = when; + } + newflow->src2dst_pkt_count++; + if (l4_data_len != 0XFEEDFACE) { + newflow->src2dst_opackets++; + } return newflow; } } else { @@ -485,6 +738,28 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow else *src = flow->dst_id, *dst = flow->src_id, *src_to_dst_direction = 0, flow->bidirectional = 1; } + if (src_to_dst_direction) { + if (flow->src2dst_pkt_count < MAX_NUM_PKTS) { + flow->src2dst_pkt_len[flow->src2dst_pkt_count] = l4_packet_len; + flow->src2dst_pkt_time[flow->src2dst_pkt_count] = when; + flow->src2dst_pkt_count++; + } + if (l4_data_len != 0XFEEDFACE) { + flow->src2dst_opackets++; + } + } else { + if (flow->dst2src_pkt_count < MAX_NUM_PKTS) { + flow->dst2src_pkt_len[flow->dst2src_pkt_count] = l4_packet_len; + flow->dst2src_pkt_time[flow->dst2src_pkt_count] = when; + if (flow->dst2src_pkt_count == 0) { + flow->dst2src_start = when; + } + flow->dst2src_pkt_count++; + } + if (l4_data_len != 0XFEEDFACE) { + flow->dst2src_opackets++; + } + } return flow; } } @@ -503,7 +778,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo u_int8_t *proto, u_int8_t **payload, u_int16_t *payload_len, - u_int8_t *src_to_dst_direction) { + u_int8_t *src_to_dst_direction, + struct timeval when) { struct ndpi_iphdr iph; memset(&iph, 0, sizeof(iph)); @@ -523,12 +799,35 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo ntohs(iph6->ip6_hdr.ip6_un1_plen), tcph, udph, sport, dport, src, dst, proto, payload, - payload_len, src_to_dst_direction)); + payload_len, src_to_dst_direction, when)); } /* ****************************************************** */ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { + + if(enable_joy_stats) { + /* Update SPLT scores. */ + + if(flow->bidirectional) + flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time, + flow->dst2src_pkt_len, flow->dst2src_pkt_time, + flow->src2dst_start, flow->dst2src_start, + MAX_NUM_PKTS, flow->src_port, flow->dst_port, + flow->src2dst_packets, flow->dst2src_packets, + flow->src2dst_opackets, flow->dst2src_opackets, + flow->src2dst_l4_bytes, flow->dst2src_l4_bytes, 1, + flow->src2dst_byte_count, flow->dst2src_byte_count); + else + flow->score = ndpi_classify(flow->src2dst_pkt_len, flow->src2dst_pkt_time, + NULL, NULL, flow->src2dst_start, flow->src2dst_start, + MAX_NUM_PKTS, flow->src_port, flow->dst_port, + flow->src2dst_packets, 0, + flow->src2dst_opackets, 0, + flow->src2dst_l4_bytes, 0, 1, + flow->src2dst_byte_count, NULL); + } + if(!flow->ndpi_flow) return; snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", @@ -559,27 +858,33 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_DNS) { /* SSH */ if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) { - snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", + snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", flow->ndpi_flow->protos.ssh.client_signature); - snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", + snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.ssh.server_signature); + snprintf(flow->ssh_tls.client_hassh, sizeof(flow->ssh_tls.client_hassh), "%s", + flow->ndpi_flow->protos.ssh.hassh_client); + snprintf(flow->ssh_tls.server_hassh, sizeof(flow->ssh_tls.server_hassh), "%s", + flow->ndpi_flow->protos.ssh.hassh_server); } - /* SSL */ - else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)) { - flow->ssh_ssl.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; - snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", + /* TLS */ + else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') + ) { + flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; + snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); - snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", + snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); - snprintf(flow->ssh_ssl.server_organization, sizeof(flow->ssh_ssl.server_organization), "%s", + snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); - snprintf(flow->ssh_ssl.ja3_client, sizeof(flow->ssh_ssl.ja3_client), "%s", + snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client); - snprintf(flow->ssh_ssl.ja3_server, sizeof(flow->ssh_ssl.ja3_server), "%s", + snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); - flow->ssh_ssl.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; - flow->ssh_ssl.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; + flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; + flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; } } @@ -613,7 +918,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, u_int16_t ip_offset, u_int16_t ipsize, u_int16_t rawsize, const struct pcap_pkthdr *header, - const u_char *packet) { + const u_char *packet, + struct timeval when) { struct ndpi_id_struct *src, *dst; struct ndpi_flow_info *flow = NULL; struct ndpi_flow_struct *ndpi_flow = NULL; @@ -631,12 +937,12 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ntohs(iph->tot_len) - (iph->ihl * 4), &tcph, &udph, &sport, &dport, &src, &dst, &proto, - &payload, &payload_len, &src_to_dst_direction); + &payload, &payload_len, &src_to_dst_direction, when); else flow = get_ndpi_flow_info6(workflow, vlan_id, iph6, ip_offset, &tcph, &udph, &sport, &dport, &src, &dst, &proto, - &payload, &payload_len, &src_to_dst_direction); + &payload, &payload_len, &src_to_dst_direction, when); if(flow != NULL) { workflow->stats.ip_packet_count++; @@ -644,22 +950,34 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, workflow->stats.total_ip_bytes += rawsize; ndpi_flow = flow->ndpi_flow; - if(src_to_dst_direction) + if(src_to_dst_direction) { flow->src2dst_packets++, flow->src2dst_bytes += rawsize; - else + flow->src2dst_l4_bytes += payload_len; + } else { flow->dst2src_packets++, flow->dst2src_bytes += rawsize; + flow->dst2src_l4_bytes += payload_len; + } + + if(enable_payload_analyzer && (payload_len > 0)) + ndpi_payload_analyzer(flow, src_to_dst_direction, payload, payload_len); + + if(enable_joy_stats) { + /* Update BD, distribution and mean. */ + ndpi_flow_update_byte_count(flow, payload, payload_len, src_to_dst_direction); + ndpi_flow_update_byte_dist_mean_var(flow, payload, payload_len, src_to_dst_direction); + } flow->last_seen = time; if(!flow->has_human_readeable_strings) { u_int8_t skip = 0; - + if((proto == IPPROTO_TCP) && ( - (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL) + (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) ) { if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */) skip = 1; @@ -667,7 +985,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(!skip) { char outbuf[64] = { '\0' }; - + if(ndpi_has_human_readeable_string(workflow->ndpi_struct, (char*)packet, header->caplen, human_readeable_string_len, flow->human_readeable_string_buffer, @@ -677,10 +995,10 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } else { if((proto == IPPROTO_TCP) && ( - (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL) + (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) ) flow->has_human_readeable_strings = 0; } @@ -691,8 +1009,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(!flow->detection_completed) { u_int enough_packets = - (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8)) - || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) ? 1 : 0; + (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts)) + || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0; flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, @@ -700,7 +1018,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) - && (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL) + && (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) && (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server[0] == '\0')) ; /* Wait for JA3S certificate */ else { @@ -985,7 +1303,7 @@ iph_check: proto = options[0]; ip_len += 8 * (options[1] + 1); } - + iph = NULL; } else { static u_int8_t ipv4_warning_used = 0; @@ -1070,7 +1388,7 @@ iph_check: /* process the packet */ return(packet_processing(workflow, time, vlan_id, iph, iph6, ip_offset, header->caplen - ip_offset, - header->caplen, header, packet)); + header->caplen, header, packet, header->ts)); } /* ********************************************************** */ diff --git a/example/reader_util.h b/example/reader_util.h index b006fd8d3..cf6acc7ec 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -31,6 +31,7 @@ #include "uthash.h" #include <pcap.h> +#include "ndpi_classify.h" #ifdef USE_DPDK #include <rte_eal.h> @@ -50,6 +51,14 @@ extern int dpdk_port_init(int port, struct rte_mempool *mbuf_pool); #endif +/* ETTA Spec defiintions for feature readiness */ +#define ETTA_MIN_PACKETS 10 +#define ETTA_MIN_OCTETS 4000 +/** maximum line length */ +#define LINEMAX 512 +#define MAX_BYTE_COUNT_ARRAY_LENGTH 256 +#define MAX_NUM_PKTS 100 + #define MAX_NUM_READER_THREADS 16 #define IDLE_SCAN_PERIOD 10 /* msec (use TICK_RESOLUTION = 1000) */ #define MAX_IDLE_TIME 30000 @@ -115,6 +124,7 @@ typedef struct ndpi_ja3_fingerprints_host{ // flow tracking typedef struct ndpi_flow_info { + u_int32_t flow_id; u_int32_t hashval; u_int32_t src_ip; u_int32_t dst_ip; @@ -128,6 +138,7 @@ typedef struct ndpi_flow_info { u_int64_t last_seen; u_int64_t src2dst_bytes, dst2src_bytes; u_int32_t src2dst_packets, dst2src_packets; + u_int32_t src2dst_opackets, dst2src_opackets; u_int32_t has_human_readeable_strings; char human_readeable_string_buffer[32]; @@ -141,13 +152,36 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; - char client_info[64], server_info[64], server_organization[64], + char client_info[64], server_info[64], + client_hassh[33], server_hassh[33], + server_organization[64], ja3_client[33], ja3_server[33]; u_int16_t server_cipher; ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; - } ssh_ssl; + } ssh_tls; void *src_id, *dst_id; + + // Entropy fields + u_int16_t src2dst_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ + struct timeval src2dst_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ + u_int16_t dst2src_pkt_len[MAX_NUM_PKTS]; /*!< array of packet appdata lengths */ + struct timeval dst2src_pkt_time[MAX_NUM_PKTS]; /*!< array of arrival times */ + struct timeval src2dst_start; /*!< first packet arrival time */ + struct timeval dst2src_start; /*!< first packet arrival time */ + u_int16_t src2dst_pkt_count; /*!< packet counts */ + u_int16_t dst2src_pkt_count; /*!< packet counts */ + u_int32_t src2dst_l4_bytes; /*!< packet counts */ + u_int32_t dst2src_l4_bytes; /*!< packet counts */ + u_int32_t src2dst_byte_count[256]; /*!< number of occurences of each byte */ + u_int32_t dst2src_byte_count[256]; /*!< number of occurences of each byte */ + u_int32_t src2dst_num_bytes; + u_int32_t dst2src_num_bytes; + double src2dst_bd_mean; + double src2dst_bd_variance; + double dst2src_bd_mean; + double dst2src_bd_variance; + float score; } ndpi_flow_info_t; @@ -245,6 +279,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl u_int32_t ethernet_crc32(const void* data, size_t n_bytes); void ndpi_flow_info_freer(void *node); const char* print_cipher_id(u_int32_t cipher); +float ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], unsigned int num_bytes); extern int nDPI_LogLevel; diff --git a/packages/rpm/ndpi.spec.in b/packages/rpm/ndpi.spec.in index e93e73577..a177e3724 100644 --- a/packages/rpm/ndpi.spec.in +++ b/packages/rpm/ndpi.spec.in @@ -4,7 +4,6 @@ Version: @PACKAGE_VERSION@ Release: %{buildnumber} License: LGPL Group: Networking/Utilities -Conflicts: nprobe-dev URL: http://www.ntop.org/products/deep-packet-inspection/ndpi/ Source: ndpi-%{version}.tgz Packager: Luca Deri <deri@ntop.org> @@ -64,6 +63,7 @@ cp $HOME/nDPI/packages/etc/ld.so.conf.d/ndpi.conf $RPM_BUILD_ROOT/etc/ld.so.conf rm -rf $RPM_BUILD_ROOT/usr/local/sbin/ndpi strip $RPM_BUILD_ROOT%{bindir}/* rm -fr %{buildroot}%{includedir}/ndpi_win32.h +#sed -i -e "s/#include \"ndpi_win32.h\"//g" %{buildroot}%{includedir}/ndpi_main.h %clean rm -fr $RPM_BUILD_ROOT diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 20dd048ad..94e835557 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -681,12 +681,12 @@ extern "C" { * * @par ndpi_struct = the detection module * @par flow = the detected flow - * @par certificate = the ssl certificate + * @par certificate = the SSL/TLS certificate * @return 1 if the flow is TOR; * 0 else * */ - int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, + int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate); /* Wrappers functions */ @@ -774,8 +774,9 @@ extern "C" { /* LRU cache */ struct ndpi_lru_cache* ndpi_lru_cache_init(u_int32_t num_entries); void ndpi_lru_free_cache(struct ndpi_lru_cache *c); - u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int8_t clean_key_when_found); - void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key); + u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, + u_int16_t *value, u_int8_t clean_key_when_found); + void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t value); /** * Add a string to match to an automata @@ -833,15 +834,24 @@ extern "C" { u_int32_t key, const char *value); int ndpi_serialize_string_uint32(ndpi_serializer *serializer, const char *key, u_int32_t value); + int ndpi_serialize_string_uint32_format(ndpi_serializer *serializer, + const char *key, u_int32_t value, + const char *format); int ndpi_serialize_string_uint64(ndpi_serializer *serializer, const char *key, u_int64_t value); int ndpi_serialize_string_string(ndpi_serializer *serializer, const char *key, const char *value); + int ndpi_serialize_string_float(ndpi_serializer *serializer, + const char *key, float value, + const char *format /* e.f. "%.2f" */); int ndpi_serialize_end_of_record(ndpi_serializer *serializer); - + char* ndpi_serializer_get_buffer(ndpi_serializer *_serializer, u_int32_t *buffer_len); + u_int32_t ndpi_serializer_get_buffer_len(ndpi_serializer *_serializer); + /* Deserializer */ int ndpi_init_deserializer(ndpi_deserializer *deserializer, - ndpi_serializer *serializer); + ndpi_serializer *serializer); + void ndpi_serializer_set_csv_separator(ndpi_serializer *serializer, char separator); int ndpi_init_deserializer_buf(ndpi_deserializer *deserializer, u_int8_t *serialized_buffer, u_int32_t serialized_buffer_len); @@ -864,6 +874,8 @@ extern "C" { ndpi_string *key, u_int64_t *value); int ndpi_deserialize_string_string(ndpi_deserializer *deserializer, ndpi_string *key, ndpi_string *value); + int ndpi_deserialize_string_float(ndpi_deserializer *deserializer, + ndpi_string *key, float *value); int ndpi_deserialize_end_of_record(ndpi_deserializer *deserializer); #ifdef __cplusplus diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 4ad618e3e..d988cd140 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -98,7 +98,7 @@ typedef enum { NDPI_PROTOCOL_QQLIVE = 61, NDPI_PROTOCOL_THUNDER = 62, NDPI_PROTOCOL_SOULSEEK = 63, - NDPI_PROTOCOL_SSL_NO_CERT = 64, + NDPI_PROTOCOL_TLS_NO_CERT = 64, NDPI_PROTOCOL_IRC = 65, NDPI_PROTOCOL_AYIYA = 66, NDPI_PROTOCOL_UNENCRYPTED_JABBER = 67, @@ -125,7 +125,7 @@ typedef enum { NDPI_PROTOCOL_RDP = 88, NDPI_PROTOCOL_VNC = 89, NDPI_PROTOCOL_PCANYWHERE = 90, - NDPI_PROTOCOL_SSL = 91, + NDPI_PROTOCOL_TLS = 91, NDPI_PROTOCOL_SSH = 92, NDPI_PROTOCOL_USENET = 93, NDPI_PROTOCOL_MGCP = 94, diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 187fbec13..cb96270f1 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -312,7 +312,7 @@ void init_soulseek_dissector(struct ndpi_detection_module_struct *ndpi_struct, u void init_socks_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_spotify_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ssh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_ssl_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_starcraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_stealthnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_steam_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index e240f7847..019d50155 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -411,8 +411,14 @@ typedef enum { NDPI_HTTP_METHOD_CONNECT } ndpi_http_method; +struct ndpi_lru_cache_entry { + u_int32_t key; /* Store the whole key to avoid ambiguities */ + u_int32_t is_full:1, value:16, pad:15; +}; + struct ndpi_lru_cache { - u_int32_t num_entries, *entries; + u_int32_t num_entries; + struct ndpi_lru_cache_entry *entries; }; struct ndpi_id_struct { @@ -584,7 +590,7 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_TELNET */ u_int32_t telnet_stage:2; // 0 - 2 - /* NDPI_PROTOCOL_SSL */ + /* NDPI_PROTOCOL_TLS */ u_int8_t ssl_seen_client_cert:1, ssl_seen_server_cert:1, ssl_seen_certificate:1, @@ -777,8 +783,7 @@ struct ndpi_packet_struct { u_int8_t ssl_certificate_detected:4, ssl_certificate_num_checks:4; u_int8_t packet_lines_parsed_complete:1, - packet_direction:1, - empty_line_position_set:1; + packet_direction:1, empty_line_position_set:1, pad:5; }; struct ndpi_detection_module_struct; @@ -805,7 +810,8 @@ typedef enum { NDPI_PROTOCOL_ACCEPTABLE, /* Probably doesn't provide risks, but could be malicious (e.g., Dropbox) */ NDPI_PROTOCOL_FUN, /* Pure fun protocol, which may be prohibited by the user policy (e.g., Netflix) */ NDPI_PROTOCOL_UNSAFE, /* Probably provides risks, but could be a normal traffic. Unencrypted protocols with clear pass should be here (e.g., telnet) */ - NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Surely is dangerous (ex. Tor). Be prepared to troubles */ + NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Possibly dangerous (ex. Tor). */ + NDPI_PROTOCOL_DANGEROUS, /* Surely is dangerous (ex. smbv1). Be prepared to troubles */ NDPI_PROTOCOL_TRACKER_ADS, /* Trackers, Advertisements... */ NDPI_PROTOCOL_UNRATED /* No idea, not implemented or impossible to classify */ } ndpi_protocol_breed_t; @@ -1061,6 +1067,9 @@ struct ndpi_detection_module_struct { /* NDPI_PROTOCOL_TINC */ struct cache *tinc_cache; + /* NDPI_PROTOCOL_STUN and subprotocols */ + struct ndpi_lru_cache *stun_cache; + ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; u_int8_t http_dont_dissect_response:1, dns_dont_dissect_response:1, @@ -1161,11 +1170,12 @@ struct ndpi_flow_struct { u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; } stun; - /* We can have STUN over SSL thus they need to live together */ + /* We can have STUN over SSL/TLS thus they need to live together */ } stun_ssl; struct { char client_signature[48], server_signature[48]; + char hassh_client[33], hassh_server[33]; } ssh; struct { @@ -1310,6 +1320,7 @@ typedef enum { ndpi_serialization_format_unknown = 0, ndpi_serialization_format_tlv, ndpi_serialization_format_json, + ndpi_serialization_format_csv } ndpi_serialization_format; typedef enum { @@ -1322,6 +1333,7 @@ typedef enum { ndpi_serialization_string_int64, ndpi_serialization_string_uint32, ndpi_serialization_string_uint64, + ndpi_serialization_string_float, ndpi_serialization_string_string, } ndpi_serialization_element_type; @@ -1334,8 +1346,12 @@ typedef struct { ndpi_serialization_format fmt; u_int32_t status; u_int8_t *buffer; - char *json_buffer; -} ndpi_serializer; + char csv_separator[2]; +} ndpi_private_serializer; + +#define ndpi_private_deserializer ndpi_private_serializer + +typedef struct { char c[sizeof(ndpi_private_serializer)]; } ndpi_serializer; #define ndpi_deserializer ndpi_serializer diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 9c0356ec8..79ab8e5e4 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8382,10 +8382,10 @@ ndpi_protocol_match host_match[] = { { "ntop.org", NULL, "ntop\\.org$", "ntop", NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_SAFE }, - { "docs.googleusercontent.com", NULL, "docs.googleusercontent" TLD, "GoogleDocs", NDPI_PROTOCOL_GOOGLE_DOCS, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_ACCEPTABLE }, - { "docs.google.com", NULL, "docs.google" TLD, "GoogleDocs", NDPI_PROTOCOL_GOOGLE_DOCS, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_ACCEPTABLE }, + { "docs.googleusercontent.com", NULL, "docs.googleusercontent" TLD, "GoogleDocs", NDPI_PROTOCOL_GOOGLE_DOCS, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "docs.google.com", NULL, "docs.google" TLD, "GoogleDocs", NDPI_PROTOCOL_GOOGLE_DOCS, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { "drive-thirdparty.googleusercontent.com", NULL, "drive-thirdparty\\.googleusercontent" TLD, "GoogleDrive", NDPI_PROTOCOL_GOOGLE_DRIVE, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "drive-thirdparty.googleusercontent.com", NULL, "drive-thirdparty\\.googleusercontent" TLD, "GoogleDrive", NDPI_PROTOCOL_GOOGLE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "drive.google.com", NULL, "drive.google" TLD, "GoogleDrive", NDPI_PROTOCOL_GOOGLE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "android.clients.google.com", NULL, "android\\.clients\\.google" TLD, "PlayStore", NDPI_PROTOCOL_PLAYSTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_SAFE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9b6bdc632..cca061856 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -51,6 +51,9 @@ #define NDPI_CONST_GENERIC_PROTOCOL_NAME "GenericProtocol" +/* stun.c */ +extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow); + static int _ndpi_debug_callbacks = 0; /* #define MATCH_DEBUG 1 */ @@ -846,7 +849,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "XDMCP", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, ndpi_build_default_ports(ports_a, 177, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 177, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SMBV1, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_DANGEROUS, NDPI_PROTOCOL_SMBV1, 0 /* can_have_a_subprotocol */, no_master, no_master, "SMBv1", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -1097,10 +1100,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - custom_master[0] = NDPI_PROTOCOL_SSL, custom_master[1] = NDPI_PROTOCOL_UNKNOWN; - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSL_NO_CERT, + custom_master[0] = NDPI_PROTOCOL_TLS, custom_master[1] = NDPI_PROTOCOL_UNKNOWN; + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TLS_NO_CERT, 1 /* can_have_a_subprotocol */, custom_master, - no_master, "SSL_No_Cert", NDPI_PROTOCOL_CATEGORY_WEB, + no_master, "TLS_No_Cert", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_IRC, @@ -1241,10 +1244,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - custom_master[0] = NDPI_PROTOCOL_SSL_NO_CERT, custom_master[1] = NDPI_PROTOCOL_UNKNOWN; - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_SSL, + custom_master[0] = NDPI_PROTOCOL_TLS_NO_CERT, custom_master[1] = NDPI_PROTOCOL_UNKNOWN; + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_TLS, 1 /* can_have_a_subprotocol */, no_master, - custom_master, "SSL", NDPI_PROTOCOL_CATEGORY_WEB, + custom_master, "TLS", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 443, 3001 /* ntop */, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSH, @@ -1749,7 +1752,7 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { #ifdef MATCH_DEBUG printf("Searching [to search: %s/%u][pattern: %s/%u] [len: %u][match_num: %u][%s]\n", - buf, txt->length, m->patterns->astring, m->patterns->length, min_len, + buf, (unigned int)txt->length, m->patterns->astring, m->patterns->length, min_len, m->match_num, m->patterns->astring); #endif @@ -1768,7 +1771,8 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { to avoid matching aws.amazon.com whereas a.ws.amazon.com has to match */ - if(whatfound && (whatfound != buf) + if(whatfound + && (whatfound != buf) && (m->patterns->astring[0] != '.') /* The searched pattern does not start with . */ && strchr(m->patterns->astring, '.') /* The matched pattern has a . (e.g. numeric or sym IPs) */ && (whatfound[-1] != '.') @@ -2288,7 +2292,7 @@ int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str if(!ndpi_struct->custom_categories.categories_loaded) return -1; - + snprintf(ipbuf, sizeof(ipbuf)-1, "%s", name_or_ip); ptr = strrchr(ipbuf, '/'); @@ -2337,6 +2341,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_struct->ookla_cache) ndpi_lru_free_cache(ndpi_struct->ookla_cache); + if(ndpi_struct->stun_cache) + ndpi_lru_free_cache(ndpi_struct->stun_cache); + if(ndpi_struct->protocols_ptree) ndpi_Destroy_Patricia((patricia_tree_t*)ndpi_struct->protocols_ptree, free_ptree_data); @@ -2810,8 +2817,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* STARCRAFT */ init_starcraft_dissector(ndpi_struct, &a, detection_bitmask); - /* SSL */ - init_ssl_dissector(ndpi_struct, &a, detection_bitmask); + /* TLS */ + init_tls_dissector(ndpi_struct, &a, detection_bitmask); /* STUN */ init_stun_dissector(ndpi_struct, &a, detection_bitmask); @@ -3630,125 +3637,124 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str } void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) -{ - /* const for gcc code optimization and cleaner code */ - struct ndpi_packet_struct *packet = &flow->packet; - const struct ndpi_iphdr *iph = packet->iph; + struct ndpi_flow_struct *flow) { + if(!flow) { + return; + } else { + /* const for gcc code optimization and cleaner code */ + struct ndpi_packet_struct *packet = &flow->packet; + const struct ndpi_iphdr *iph = packet->iph; #ifdef NDPI_DETECTION_SUPPORT_IPV6 - const struct ndpi_ipv6hdr *iphv6 = packet->iphv6; + const struct ndpi_ipv6hdr *iphv6 = packet->iphv6; #endif - const struct ndpi_tcphdr *tcph = packet->tcp; - const struct ndpi_udphdr *udph = flow->packet.udp; + const struct ndpi_tcphdr *tcph = packet->tcp; + const struct ndpi_udphdr *udph = flow->packet.udp; - if (!flow) { - return; - } + packet->tcp_retransmission = 0, packet->packet_direction = 0; - packet->tcp_retransmission = 0, packet->packet_direction = 0; - - if(ndpi_struct->direction_detect_disable) { - packet->packet_direction = flow->packet_direction; - } else { - if(iph != NULL && ntohl(iph->saddr) < ntohl(iph->daddr)) - packet->packet_direction = 1; + if(ndpi_struct->direction_detect_disable) { + packet->packet_direction = flow->packet_direction; + } else { + if(iph != NULL && ntohl(iph->saddr) < ntohl(iph->daddr)) + packet->packet_direction = 1; #ifdef NDPI_DETECTION_SUPPORT_IPV6 - if(iphv6 != NULL && NDPI_COMPARE_IPV6_ADDRESS_STRUCTS(&iphv6->ip6_src, - &iphv6->ip6_dst) != 0) - packet->packet_direction = 1; + if(iphv6 != NULL && NDPI_COMPARE_IPV6_ADDRESS_STRUCTS(&iphv6->ip6_src, + &iphv6->ip6_dst) != 0) + packet->packet_direction = 1; #endif - } + } - packet->packet_lines_parsed_complete = 0; + packet->packet_lines_parsed_complete = 0; - if(flow->init_finished == 0) { - flow->init_finished = 1; - flow->setup_packet_direction = packet->packet_direction; - } + if(flow->init_finished == 0) { + flow->init_finished = 1; + flow->setup_packet_direction = packet->packet_direction; + } - if(tcph != NULL) { - /* reset retried bytes here before setting it */ - packet->num_retried_bytes = 0; + if(tcph != NULL) { + /* reset retried bytes here before setting it */ + packet->num_retried_bytes = 0; - if(!ndpi_struct->direction_detect_disable) - packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0; + if(!ndpi_struct->direction_detect_disable) + packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0; - if(tcph->syn != 0 && tcph->ack == 0 && flow->l4.tcp.seen_syn == 0 && flow->l4.tcp.seen_syn_ack == 0 - && flow->l4.tcp.seen_ack == 0) { - flow->l4.tcp.seen_syn = 1; - } - if(tcph->syn != 0 && tcph->ack != 0 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 0 - && flow->l4.tcp.seen_ack == 0) { - flow->l4.tcp.seen_syn_ack = 1; - } - if(tcph->syn == 0 && tcph->ack == 1 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 1 - && flow->l4.tcp.seen_ack == 0) { - flow->l4.tcp.seen_ack = 1; - } - if((flow->next_tcp_seq_nr[0] == 0 && flow->next_tcp_seq_nr[1] == 0) - || (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0)) { - /* initialize tcp sequence counters */ - /* the ack flag needs to be set to get valid sequence numbers from the other - * direction. Usually it will catch the second packet syn+ack but it works - * also for asymmetric traffic where it will use the first data packet - * - * if the syn flag is set add one to the sequence number, - * otherwise use the payload length. - */ - if(tcph->ack != 0) { - flow->next_tcp_seq_nr[flow->packet.packet_direction] = - ntohl(tcph->seq) + (tcph->syn ? 1 : packet->payload_packet_len); - - flow->next_tcp_seq_nr[1 -flow->packet.packet_direction] = ntohl(tcph->ack_seq); + if(tcph->syn != 0 && tcph->ack == 0 && flow->l4.tcp.seen_syn == 0 && flow->l4.tcp.seen_syn_ack == 0 + && flow->l4.tcp.seen_ack == 0) { + flow->l4.tcp.seen_syn = 1; + } + if(tcph->syn != 0 && tcph->ack != 0 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 0 + && flow->l4.tcp.seen_ack == 0) { + flow->l4.tcp.seen_syn_ack = 1; } - } else if(packet->payload_packet_len > 0) { - /* check tcp sequence counters */ - if(((u_int32_t)(ntohl(tcph->seq) - flow->next_tcp_seq_nr[packet->packet_direction])) > - ndpi_struct->tcp_max_retransmission_window_size) { - - packet->tcp_retransmission = 1; - - /* CHECK IF PARTIAL RETRY IS HAPPENING */ - if((flow->next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq) < packet->payload_packet_len)) { - /* num_retried_bytes actual_payload_len hold info about the partial retry - analyzer which require this info can make use of this info - Other analyzer can use packet->payload_packet_len */ - packet->num_retried_bytes = (u_int16_t)(flow->next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq)); - packet->actual_payload_len = packet->payload_packet_len - packet->num_retried_bytes; + if(tcph->syn == 0 && tcph->ack == 1 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 1 + && flow->l4.tcp.seen_ack == 0) { + flow->l4.tcp.seen_ack = 1; + } + if((flow->next_tcp_seq_nr[0] == 0 && flow->next_tcp_seq_nr[1] == 0) + || (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0)) { + /* initialize tcp sequence counters */ + /* the ack flag needs to be set to get valid sequence numbers from the other + * direction. Usually it will catch the second packet syn+ack but it works + * also for asymmetric traffic where it will use the first data packet + * + * if the syn flag is set add one to the sequence number, + * otherwise use the payload length. + */ + if(tcph->ack != 0) { + flow->next_tcp_seq_nr[flow->packet.packet_direction] = + ntohl(tcph->seq) + (tcph->syn ? 1 : packet->payload_packet_len); + + flow->next_tcp_seq_nr[1 -flow->packet.packet_direction] = ntohl(tcph->ack_seq); + } + } else if(packet->payload_packet_len > 0) { + /* check tcp sequence counters */ + if(((u_int32_t)(ntohl(tcph->seq) - flow->next_tcp_seq_nr[packet->packet_direction])) > + ndpi_struct->tcp_max_retransmission_window_size) { + + packet->tcp_retransmission = 1; + + /* CHECK IF PARTIAL RETRY IS HAPPENING */ + if((flow->next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq) < packet->payload_packet_len)) { + /* num_retried_bytes actual_payload_len hold info about the partial retry + analyzer which require this info can make use of this info + Other analyzer can use packet->payload_packet_len */ + packet->num_retried_bytes = (u_int16_t)(flow->next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq)); + packet->actual_payload_len = packet->payload_packet_len - packet->num_retried_bytes; + flow->next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; + } + } + + /* normal path + actual_payload_len is initialized to payload_packet_len during tcp header parsing itself. + It will be changed only in case of retransmission */ + else { + packet->num_retried_bytes = 0; flow->next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; } } - /* normal path - actual_payload_len is initialized to payload_packet_len during tcp header parsing itself. - It will be changed only in case of retransmission */ - else { - packet->num_retried_bytes = 0; - flow->next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; + if(tcph->rst) { + flow->next_tcp_seq_nr[0] = 0; + flow->next_tcp_seq_nr[1] = 0; } + } else if(udph != NULL) { + if(!ndpi_struct->direction_detect_disable) + packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0; } - if(tcph->rst) { - flow->next_tcp_seq_nr[0] = 0; - flow->next_tcp_seq_nr[1] = 0; + if(flow->packet_counter < MAX_PACKET_COUNTER && packet->payload_packet_len) { + flow->packet_counter++; } - } else if(udph != NULL) { - if(!ndpi_struct->direction_detect_disable) - packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0; - } - - if(flow->packet_counter < MAX_PACKET_COUNTER && packet->payload_packet_len) { - flow->packet_counter++; - } - if(flow->packet_direction_counter[packet->packet_direction] < MAX_PACKET_COUNTER && packet->payload_packet_len) { - flow->packet_direction_counter[packet->packet_direction]++; - } + if(flow->packet_direction_counter[packet->packet_direction] < MAX_PACKET_COUNTER && packet->payload_packet_len) { + flow->packet_direction_counter[packet->packet_direction]++; + } - if(flow->byte_counter[packet->packet_direction] + packet->payload_packet_len > - flow->byte_counter[packet->packet_direction]) { - flow->byte_counter[packet->packet_direction] += packet->payload_packet_len; + if(flow->byte_counter[packet->packet_direction] + packet->payload_packet_len > + flow->byte_counter[packet->packet_direction]) { + flow->byte_counter[packet->packet_direction] += packet->payload_packet_len; + } } } @@ -3785,7 +3791,7 @@ void check_ndpi_other_flow_func(struct ndpi_detection_module_struct *ndpi_struct if((func != ndpi_struct->callback_buffer_non_tcp_udp[a].func) && (ndpi_struct->callback_buffer_non_tcp_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) == ndpi_struct->callback_buffer_non_tcp_udp[a].ndpi_selection_bitmask - && + && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, ndpi_struct->callback_buffer_non_tcp_udp[a].excluded_protocol_bitmask) == 0 && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer_non_tcp_udp[a].detection_bitmask, @@ -3938,7 +3944,7 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ struct in_addr addr; addr.s_addr = flow->packet.iph->saddr; - + /* guess host protocol */ ret = ndpi_network_ptree_match(ndpi_struct, &addr); @@ -4026,9 +4032,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN) goto check_stun_export; + else if((flow->guessed_protocol_id == NDPI_PROTOCOL_HANGOUT_DUO) + || (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER) + || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_VOICE)) + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); else if((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { ndpi_protocol ret_g = ndpi_get_partial_detection(ndpi_struct, flow); @@ -4042,7 +4052,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) && (flow->l4.tcp.ssl_stage > 1)) - flow->guessed_protocol_id = NDPI_PROTOCOL_SSL_NO_CERT; + flow->guessed_protocol_id = NDPI_PROTOCOL_TLS_NO_CERT; guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id; @@ -4102,10 +4112,11 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st // if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */ if(flow->protos.stun_ssl.stun.num_processed_pkts && flow->protos.stun_ssl.stun.is_skype) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); - } else + } else { ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_STUN); + } } } @@ -4416,7 +4427,9 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc if((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { unsigned long id; - int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.stun_ssl.ssl.client_certificate, &id); + int rc = ndpi_match_custom_category(ndpi_struct, + (char *)flow->protos.stun_ssl.ssl.client_certificate, + &id); if(rc == 0) { flow->category = ret->category = (ndpi_protocol_category_t)id; @@ -4460,8 +4473,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct */ if(flow->check_extra_packets /* - && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) - || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_SSL)) + && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS)) */ ) { ndpi_process_extra_packet(ndpi_struct, flow, packet, packetlen, current_tick_l, src, dst); @@ -4547,8 +4560,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct flow->guessed_host_protocol_id = ndpi_guess_host_protocol_id(ndpi_struct, flow); if(ndpi_struct->custom_categories.categories_loaded && flow->packet.iph) { - ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; - ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, &ret); flow->guessed_header_category = ret.category; } else @@ -4579,7 +4590,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct addr.s_addr = flow->packet.iph->saddr; flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_struct, &addr); - + if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { addr.s_addr = flow->packet.iph->daddr; flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_struct, &addr); @@ -4598,16 +4609,16 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct for(i=0; i<2; i++) { u_int16_t port = (i == 0) ? ntohs(flow->packet.tcp->dest) : ntohs(flow->packet.tcp->source); - + switch(port) { case 80: ret.master_protocol = NDPI_PROTOCOL_HTTP; break; case 443: - ret.master_protocol = NDPI_PROTOCOL_SSL; /* QUIC could also match */ + ret.master_protocol = NDPI_PROTOCOL_TLS; /* QUIC could also match */ break; } - + if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) break; } @@ -5594,7 +5605,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct else { ret.app_protocol = rc; - if(rc == NDPI_PROTOCOL_SSL) + if(rc == NDPI_PROTOCOL_TLS) goto check_guessed_skype; else { ret.category = ndpi_get_proto_category(ndpi_struct, ret); @@ -5928,7 +5939,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru ret_match->protocol_id = match.number, ret_match->protocol_category = match.category, ret_match->protocol_breed = match.breed; - + return(match.number); } @@ -6095,23 +6106,25 @@ char* ndpi_revision() { return(NDPI_GIT_RELEASE); } #ifdef WIN32 -/* http://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/port/gettimeofday.c;h=75a91993b74414c0a1c13a2a09ce739cb8aa8a08;hb=HEAD */ -int gettimeofday(struct timeval * tp, struct timezone * tzp) { - /* FILETIME of Jan 1 1970 00:00:00. */ - const unsigned __int64 epoch = (__int64)(116444736000000000); +/* https://stackoverflow.com/questions/10905892/equivalent-of-gettimeday-for-windows */ +int gettimeofday(struct timeval * tp, struct timezone * tzp) +{ + // Note: some broken versions only have 8 trailing zero's, the correct epoch has 9 trailing zero's + // This magic number is the number of 100 nanosecond intervals since January 1, 1601 (UTC) + // until 00:00:00 January 1, 1970 + static const uint64_t EPOCH = ((uint64_t) 116444736000000000ULL); - FILETIME file_time; SYSTEMTIME system_time; - ULARGE_INTEGER ularge; + FILETIME file_time; + uint64_t time; - GetSystemTime(&system_time); - SystemTimeToFileTime(&system_time, &file_time); - ularge.LowPart = file_time.dwLowDateTime; - ularge.HighPart = file_time.dwHighDateTime; + GetSystemTime( &system_time ); + SystemTimeToFileTime( &system_time, &file_time ); + time = ((uint64_t)file_time.dwLowDateTime ) ; + time += ((uint64_t)file_time.dwHighDateTime) << 32; - tp->tv_sec = (long) ((ularge.QuadPart - epoch) / 10000000L); + tp->tv_sec = (long) ((time - EPOCH) / 10000000L); tp->tv_usec = (long) (system_time.wMilliseconds * 1000); - return 0; } #endif @@ -6178,7 +6191,8 @@ struct ndpi_lru_cache* ndpi_lru_cache_init(u_int32_t num_entries) { if(!c) return(NULL); - c->entries = (u_int32_t*)calloc(num_entries, sizeof(u_int32_t)); + c->entries = (struct ndpi_lru_cache_entry*)calloc(num_entries, + sizeof(struct ndpi_lru_cache_entry)); if(!c->entries) { free(c); @@ -6194,21 +6208,23 @@ void ndpi_lru_free_cache(struct ndpi_lru_cache *c) { free(c); } - -u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int8_t clean_key_when_found) { +u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t *value, u_int8_t clean_key_when_found) { u_int32_t slot = key % c->num_entries; - if(c->entries[slot] == key) { - if(clean_key_when_found) c->entries[slot] = 0; + if(c->entries[slot].is_full) { + *value = c->entries[slot].value; + if(clean_key_when_found) c->entries[slot].is_full = 0; return(1); } else return(0); } -void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key) { +void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int16_t value) { u_int32_t slot = key % c->num_entries; - c->entries[slot] = key; + c->entries[slot].is_full = 1, + c->entries[slot].key = key, + c->entries[slot].value = value; } /* ******************************************************************** */ @@ -6236,4 +6252,3 @@ int ndpi_flowv6_flow_hash(u_int8_t l4_proto, struct ndpi_in6_addr *src_ip, struc } /* **************************************** */ - diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c new file mode 100644 index 000000000..a6546a909 --- /dev/null +++ b/src/lib/ndpi_serializer.c @@ -0,0 +1,1107 @@ +/* + * ndpi_serializer.c + * + * Copyright (C) 2011-19 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#ifdef HAVE_CONFIG_H +#include "ndpi_config.h" +#endif + +#include <stdlib.h> +#include <errno.h> +#include <sys/types.h> + +#include "ndpi_api.h" +#include "ndpi_config.h" + +#include <time.h> +#ifndef WIN32 +#include <unistd.h> +#endif + +#if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__ +#include <sys/endian.h> +#endif + +/* ********************************** */ + +static u_int64_t ndpi_htonll(u_int64_t v) { + union { u_int32_t lv[2]; u_int64_t llv; } u; + u.lv[0] = htonl(v >> 32); + u.lv[1] = htonl(v & 0xFFFFFFFFULL); + return u.llv; +} + +/* ********************************** */ + +static u_int64_t ndpi_ntohll(u_int64_t v) { + union { u_int32_t lv[2]; u_int64_t llv; } u; + u.llv = v; + return ((u_int64_t)ntohl(u.lv[0]) << 32) | (u_int64_t)ntohl(u.lv[1]); +} + +/* ********************************** */ + +/* + * Escapes a string to be suitable for a JSON value, adding double quotes, and terminating the string with a null byte. + * It is recommended to provide a destination buffer (dst) which is as large as double the source buffer (src) at least. + * Upon successful return, these functions return the number of characters printed (excluding the null byte used to terminate the string). + */ +static int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst_max_len) { + char c = 0; + int i, j = 0; + + dst[j++] = '"'; + + for (i = 0; i < src_len && j < dst_max_len; i++) { + + c = src[i]; + + switch (c) { + case '\\': + case '"': + case '/': + dst[j++] = '\\'; + dst[j++] = c; + break; + case '\b': + dst[j++] = '\\'; + dst[j++] = 'b'; + break; + case '\t': + dst[j++] = '\\'; + dst[j++] = 't'; + break; + case '\n': + dst[j++] = '\\'; + dst[j++] = 'n'; + break; + case '\f': + dst[j++] = '\\'; + dst[j++] = 'f'; + break; + case '\r': + dst[j++] = '\\'; + dst[j++] = 'r'; + break; + default: + if(c < ' ') + ; /* non printable */ + else + dst[j++] = c; + } + } + + dst[j++] = '"'; + dst[j+1] = '\0'; + + return j; +} + +/* ********************************** */ + +void ndpi_reset_serializer(ndpi_serializer *_serializer) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + if(serializer->fmt == ndpi_serialization_format_json) { + u_int32_t buff_diff; + + serializer->size_used = 0; + buff_diff = serializer->buffer_size - serializer->size_used; + + /* Note: please keep a space at the beginning as it is used for arrays when an end-of-record is used */ + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, " {}"); + } else if(serializer->fmt == ndpi_serialization_format_csv) + serializer->size_used = 0; + else /* TLV */ + serializer->size_used = 2 * sizeof(u_int8_t); +} + +/* ********************************** */ + +int ndpi_init_serializer(ndpi_serializer *_serializer, + ndpi_serialization_format fmt) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + memset(serializer, 0, sizeof(ndpi_private_serializer)); + + serializer->buffer_size = 8192; + serializer->buffer = (u_int8_t *) malloc(serializer->buffer_size * sizeof(u_int8_t)); + + if(serializer->buffer == NULL) + return(-1); + + serializer->fmt = fmt; + + serializer->buffer[0] = 1; /* version */ + serializer->buffer[1] = (u_int8_t) fmt; + + serializer->csv_separator[0] = ','; + serializer->csv_separator[1] = '\0'; + + ndpi_reset_serializer(_serializer); + + return(1); +} + +/* ********************************** */ + +char* ndpi_serializer_get_buffer(ndpi_serializer *_serializer, u_int32_t *buffer_len) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + char *buf = (char*)serializer->buffer; + + /* NULL terminate the buffer if there is space available */ + if(serializer->buffer_size > serializer->size_used) + serializer->buffer[serializer->size_used] = '\0'; + + *buffer_len = serializer->size_used; + + if(serializer->fmt == ndpi_serialization_format_json) { + while(buf[0] == '\0') + buf++, *buffer_len = *buffer_len - 1 ; + } + + return(buf); +} + +/* ********************************** */ + +u_int32_t ndpi_serializer_get_buffer_len(ndpi_serializer *_serializer) { + return(((ndpi_private_serializer*)_serializer)->size_used); +} + + /* ********************************** */ + +void ndpi_serializer_set_csv_separator(ndpi_serializer *_serializer, char separator) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + serializer->csv_separator[0] = separator; +} + +/* ********************************** */ + +void ndpi_term_serializer(ndpi_serializer *_serializer) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + if(serializer->buffer) { + free(serializer->buffer); + serializer->buffer_size = 0; + serializer->buffer = NULL; + } +} + +/* ********************************** */ + +static int ndpi_extend_serializer_buffer(ndpi_serializer *_serializer, u_int32_t min_len) { + u_int32_t new_size; + void *r; + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + if(min_len < 1024) + min_len = 1024; + + new_size = serializer->buffer_size + min_len; + + r = realloc((void *) serializer->buffer, new_size); + + if(r == NULL) + return(-1); + + serializer->buffer = r; + serializer->buffer_size = new_size; + + return(0); +} + +/* ********************************** */ + +static void ndpi_serialize_single_uint32(ndpi_serializer *_serializer, + u_int32_t s) { + u_int32_t v = htonl(s); + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + memcpy(&serializer->buffer[serializer->size_used], &v, sizeof(u_int32_t)); + serializer->size_used += sizeof(u_int32_t); +} + +/* ********************************** */ + +static void ndpi_serialize_single_uint64(ndpi_serializer *_serializer, + u_int64_t s) { + u_int64_t v = ndpi_htonll(s); + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + memcpy(&serializer->buffer[serializer->size_used], &v, sizeof(u_int64_t)); + serializer->size_used += sizeof(u_int64_t); +} + +/* ********************************** */ + +/* TODO: fix portability across platforms */ +static void ndpi_serialize_single_float(ndpi_serializer *_serializer, float s) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + memcpy(&serializer->buffer[serializer->size_used], &s, sizeof(s)); + serializer->size_used += sizeof(float); +} + +/* ********************************** */ + +static void ndpi_serialize_single_string(ndpi_serializer *_serializer, + const char *s, u_int16_t slen) { + u_int16_t l = htons(slen); + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + memcpy(&serializer->buffer[serializer->size_used], &l, sizeof(u_int16_t)); + serializer->size_used += sizeof(u_int16_t); + + if(slen > 0) + memcpy(&serializer->buffer[serializer->size_used], s, slen); + + serializer->size_used += slen; +} + +/* ********************************** */ + +static void ndpi_deserialize_single_uint32(ndpi_serializer *_deserializer, + u_int32_t *s) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + *s = ntohl(*((u_int32_t *) &deserializer->buffer[deserializer->size_used])); + deserializer->size_used += sizeof(u_int32_t); +} + +/* ********************************** */ + +static void ndpi_deserialize_single_int32(ndpi_serializer *_deserializer, + int32_t *s) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + *s = ntohl(*((int32_t *) &deserializer->buffer[deserializer->size_used])); + deserializer->size_used += sizeof(int32_t); +} + +/* ********************************** */ + +static void ndpi_deserialize_single_uint64(ndpi_serializer *_deserializer, + u_int64_t *s) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + *s = ndpi_ntohll(*(u_int64_t*)&deserializer->buffer[deserializer->size_used]); + deserializer->size_used += sizeof(u_int64_t); +} + +/* ********************************** */ + +static void ndpi_deserialize_single_int64(ndpi_serializer *_deserializer, + int64_t *s) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + *s = ndpi_ntohll(*(int64_t*)&deserializer->buffer[deserializer->size_used]); + deserializer->size_used += sizeof(int64_t); +} + +/* ********************************** */ + +/* TODO: fix portability across platforms */ +static void ndpi_deserialize_single_float(ndpi_serializer *_deserializer, + float *s) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + *s = *(float*)&deserializer->buffer[deserializer->size_used]; + deserializer->size_used += sizeof(float); +} + +/* ********************************** */ + +static void ndpi_deserialize_single_string(ndpi_serializer *_deserializer, + ndpi_string *v) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + v->str_len = ntohs(*((u_int16_t *) &deserializer->buffer[deserializer->size_used])); + deserializer->size_used += sizeof(u_int16_t); + + v->str = (char *) &deserializer->buffer[deserializer->size_used]; + deserializer->size_used += v->str_len; +} + +/* ********************************** */ + +int ndpi_serialize_end_of_record(ndpi_serializer *_serializer) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int16_t needed = + sizeof(u_int8_t) /* type */; + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 1; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + if(!(serializer->status & NDPI_SERIALIZER_STATUS_ARRAY)) { + // serializer->json_buffer[0] = '['; + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], + buff_diff, "]"); + } + serializer->status |= NDPI_SERIALIZER_STATUS_ARRAY | NDPI_SERIALIZER_STATUS_EOR; + serializer->status &= ~NDPI_SERIALIZER_STATUS_COMMA; + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_end_of_record; + } + + return(0); +} + +/* ********************************** */ + +static void ndpi_serialize_json_pre(ndpi_serializer *_serializer) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + if(serializer->status & NDPI_SERIALIZER_STATUS_EOR) { + serializer->size_used--; /* Remove ']' */ + serializer->status &= ~NDPI_SERIALIZER_STATUS_EOR; + serializer->buffer[serializer->size_used++] = ','; + serializer->buffer[serializer->size_used++] = '{'; + } else { + if(serializer->status & NDPI_SERIALIZER_STATUS_ARRAY) + serializer->size_used--; /* Remove ']'*/ + serializer->size_used--; /* Remove '}'*/ + } + if(serializer->status & NDPI_SERIALIZER_STATUS_COMMA) + serializer->buffer[serializer->size_used++] = ','; +} + +/* ********************************** */ + +static void ndpi_serialize_json_post(ndpi_serializer *_serializer) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + serializer->buffer[serializer->size_used++] = '}'; + if(serializer->status & NDPI_SERIALIZER_STATUS_ARRAY) + serializer->buffer[serializer->size_used++] = ']'; + + serializer->status |= NDPI_SERIALIZER_STATUS_COMMA; +} + +/* ********************************** */ + +int ndpi_serialize_uint32_uint32(ndpi_serializer *_serializer, + u_int32_t key, u_int32_t value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int16_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int32_t) /* key */ + + sizeof(u_int32_t); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 24; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "\"%u\":%u", key, value); + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%u", (serializer->size_used > 0) ? serializer->csv_separator : "", value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_uint32_uint32; + + ndpi_serialize_single_uint32(_serializer, key); + ndpi_serialize_single_uint32(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_uint32_uint64(ndpi_serializer *_serializer, + u_int32_t key, u_int64_t value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int16_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int32_t) /* key */ + + sizeof(u_int64_t); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 32; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "\"%u\":%llu", key, (unsigned long long)value); + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%llu", + (serializer->size_used > 0) ? serializer->csv_separator : "", + (unsigned long long)value); + + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_uint32_uint64; + + ndpi_serialize_single_uint32(_serializer, key); + ndpi_serialize_single_uint64(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_uint32_string(ndpi_serializer *_serializer, + u_int32_t key, const char *_value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + const char *value = _value ? _value : ""; + u_int16_t slen = strlen(value); + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int32_t) /* key */ + + sizeof(u_int16_t) /* len */ + + slen; + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 24 + slen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "\"%u\":", key); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += ndpi_json_string_escape(value, slen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%s", (serializer->size_used > 0) ? serializer->csv_separator : "", value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_uint32_string; + + ndpi_serialize_single_uint32(_serializer, key); + ndpi_serialize_single_string(_serializer, value, slen); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_string_int32(ndpi_serializer *_serializer, + const char *key, int32_t value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int16_t klen = strlen(key); + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + klen /* key */ + + sizeof(u_int32_t); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 16 + klen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += ndpi_json_string_escape(key, klen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + ":%d", value); + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%d", (serializer->size_used > 0) ? serializer->csv_separator : "", value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_string_int32; + + ndpi_serialize_single_string(_serializer, key, klen); + ndpi_serialize_single_uint32(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_string_int64(ndpi_serializer *_serializer, + const char *key, int64_t value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int16_t klen = strlen(key); + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + klen /* key */ + + sizeof(u_int32_t); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 16 + klen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += ndpi_json_string_escape(key, klen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + ":%lld", (long long int)value); + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%lld", (serializer->size_used > 0) ? serializer->csv_separator : "", + (long long int)value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_string_int64; + + ndpi_serialize_single_string(_serializer, key, klen); + ndpi_serialize_single_uint32(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_string_uint32(ndpi_serializer *_serializer, + const char *key, u_int32_t value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int16_t klen = strlen(key); + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + klen /* key */ + + sizeof(u_int32_t); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 16 + klen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += ndpi_json_string_escape(key, klen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + ":%u", value); + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%u", (serializer->size_used > 0) ? serializer->csv_separator : "", value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_string_uint32; + + ndpi_serialize_single_string(_serializer, key, klen); + ndpi_serialize_single_uint32(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_string_uint32_format(ndpi_serializer *_serializer, + const char *key, u_int32_t value, + const char *format) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + if(serializer->fmt == ndpi_serialization_format_json) { + /* + JSON supports base 10 numbers only + http://cjihrig.com/blog/json-overview/ + */ + + return(ndpi_serialize_string_uint32(_serializer, key, value)); + } else + return(ndpi_serialize_string_uint32_format(_serializer, key, value, format)); +} + +/* ********************************** */ + +int ndpi_serialize_string_uint64(ndpi_serializer *_serializer, + const char *key, u_int64_t value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int16_t klen = strlen(key); + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + klen /* key */ + + sizeof(u_int64_t); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 32 + klen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += ndpi_json_string_escape(key, klen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + ":%llu", (unsigned long long)value); + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%llu", (serializer->size_used > 0) ? serializer->csv_separator : "", + (unsigned long long)value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_string_uint64; + + ndpi_serialize_single_string(_serializer, key, klen); + ndpi_serialize_single_uint64(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_string_float(ndpi_serializer *_serializer, + const char *key, float value, + const char *format /* e.f. "%.2f" */) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + u_int16_t klen = strlen(key); + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + klen /* key */ + + sizeof(float); + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 32 + klen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += ndpi_json_string_escape(key, klen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + + serializer->buffer[serializer->size_used] = ':'; + serializer->size_used++; + + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, format, value); + + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + if(serializer->size_used > 0) + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, "%s", serializer->csv_separator); + + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, format, value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_string_float; + + ndpi_serialize_single_string(_serializer, key, klen); + ndpi_serialize_single_float(_serializer, value); + } + + return(0); +} + +/* ********************************** */ + +int ndpi_serialize_string_string(ndpi_serializer *_serializer, + const char *key, const char *_value) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + const char *value = _value ? _value : ""; + u_int16_t klen = strlen(key), vlen = strlen(value); + u_int32_t needed = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + klen + + sizeof(u_int16_t) /* len */ + + vlen; + u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; + + if(serializer->fmt == ndpi_serialization_format_json) + needed += 16 + klen + vlen; + + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + return(-1); + buff_diff = serializer->buffer_size - serializer->size_used; + } + + if(serializer->fmt == ndpi_serialization_format_json) { + ndpi_serialize_json_pre(_serializer); + serializer->size_used += ndpi_json_string_escape(key, klen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, ":"); + buff_diff = serializer->buffer_size - serializer->size_used; + serializer->size_used += ndpi_json_string_escape(value, vlen, + (char *) &serializer->buffer[serializer->size_used], buff_diff); + buff_diff = serializer->buffer_size - serializer->size_used; + ndpi_serialize_json_post(_serializer); + } else if(serializer->fmt == ndpi_serialization_format_csv) { + serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, + "%s%s", (serializer->size_used > 0) ? serializer->csv_separator : "", + value); + } else { + serializer->buffer[serializer->size_used++] = ndpi_serialization_string_string; + + ndpi_serialize_single_string(_serializer, key, klen); + ndpi_serialize_single_string(_serializer, value, vlen); + } + + return(0); +} + +/* ********************************** */ +/* ********************************** */ + +int ndpi_init_deserializer_buf(ndpi_deserializer *_deserializer, + u_int8_t *serialized_buffer, + u_int32_t serialized_buffer_len) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(serialized_buffer_len < (2 * sizeof(u_int8_t))) + return(-1); + + deserializer->buffer = serialized_buffer; + + if(deserializer->buffer[0] != 1) + return(-2); /* Invalid version */ + + deserializer->buffer_size = serialized_buffer_len; + deserializer->fmt = deserializer->buffer[1]; + ndpi_reset_serializer(_deserializer); + + return(0); +} + +/* ********************************** */ + +int ndpi_init_deserializer(ndpi_deserializer *deserializer, + ndpi_serializer *_serializer) { + ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; + + return(ndpi_init_deserializer_buf(deserializer, + serializer->buffer, + serializer->size_used)); +} + +/* ********************************** */ + +ndpi_serialization_element_type ndpi_deserialize_get_nextitem_type(ndpi_deserializer *_deserializer) { + ndpi_serialization_element_type et; + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(deserializer->size_used >= deserializer->buffer_size) + return(ndpi_serialization_unknown); + + et = (ndpi_serialization_element_type) deserializer->buffer[deserializer->size_used]; + + return et; +} + +/* ********************************** */ + +int ndpi_deserialize_end_of_record(ndpi_deserializer *_deserializer) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_end_of_record) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int16_t expected = + sizeof(u_int8_t) /* type */; + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_uint32_uint32(ndpi_deserializer *_deserializer, + u_int32_t *key, u_int32_t *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_uint32_uint32) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int16_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int32_t) /* key */ + + sizeof(u_int32_t); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_uint32(_deserializer, key); + ndpi_deserialize_single_uint32(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_uint32_uint64(ndpi_deserializer *_deserializer, + u_int32_t *key, u_int64_t *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_uint32_uint64) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int16_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int32_t) /* key */ + + sizeof(u_int64_t); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_uint32(_deserializer, key); + ndpi_deserialize_single_uint64(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_uint32_string(ndpi_deserializer *_deserializer, + u_int32_t *key, ndpi_string *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_uint32_string) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int32_t) /* key */ + + sizeof(u_int16_t) /* len */; + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_uint32(_deserializer, key); + ndpi_deserialize_single_string(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_string_int32(ndpi_deserializer *_deserializer, + ndpi_string *key, int32_t *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_string_int32) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + sizeof(int32_t); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_string(_deserializer, key); + ndpi_deserialize_single_int32(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_string_int64(ndpi_deserializer *_deserializer, + ndpi_string *key, int64_t *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_string_int64) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + sizeof(int64_t); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_string(_deserializer, key); + ndpi_deserialize_single_int64(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_string_uint32(ndpi_deserializer *_deserializer, + ndpi_string *key, u_int32_t *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_string_uint32) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + sizeof(u_int32_t); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_string(_deserializer, key); + ndpi_deserialize_single_uint32(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_string_uint64(ndpi_deserializer *_deserializer, + ndpi_string *key, u_int64_t *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_string_uint64) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + sizeof(u_int64_t); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_string(_deserializer, key); + ndpi_deserialize_single_uint64(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_string_float(ndpi_deserializer *_deserializer, + ndpi_string *key, float *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_string_float) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + sizeof(float); + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_string(_deserializer, key); + ndpi_deserialize_single_float(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ + +int ndpi_deserialize_string_string(ndpi_deserializer *_deserializer, + ndpi_string *key, ndpi_string *value) { + ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; + + if(ndpi_deserialize_get_nextitem_type(_deserializer) == ndpi_serialization_string_string) { + u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; + u_int32_t expected = + sizeof(u_int8_t) /* type */ + + sizeof(u_int16_t) /* key len */ + + sizeof(u_int16_t) /* len */; + + if(buff_diff < expected) return(-2); + + deserializer->size_used++; /* Skip element type */ + ndpi_deserialize_single_string(_deserializer, key); + ndpi_deserialize_single_string(_deserializer, value); + + return(0); + } else + return(-1); +} + +/* ********************************** */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 8959aa05e..14a82065a 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1,5 +1,5 @@ /* - * ndpi_utils.cc + * ndpi_utils.c * * Copyright (C) 2011-19 - ntop.org * @@ -236,38 +236,38 @@ u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, * based upon ascii character sequences. */ static const u_char charmap[] = { - '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007', - '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017', - '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027', - '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037', - '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047', - '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057', - '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067', - '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077', - '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137', - '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177', - '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207', - '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217', - '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227', - '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237', - '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247', - '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257', - '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267', - '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277', - '\300', '\301', '\302', '\303', '\304', '\305', '\306', '\307', - '\310', '\311', '\312', '\313', '\314', '\315', '\316', '\317', - '\320', '\321', '\322', '\323', '\324', '\325', '\326', '\327', - '\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337', - '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347', - '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', - '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', - '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377', + '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007', + '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017', + '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027', + '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037', + '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047', + '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057', + '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067', + '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077', + '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147', + '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', + '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', + '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137', + '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147', + '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', + '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', + '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177', + '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207', + '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217', + '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227', + '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237', + '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247', + '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257', + '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267', + '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277', + '\300', '\301', '\302', '\303', '\304', '\305', '\306', '\307', + '\310', '\311', '\312', '\313', '\314', '\315', '\316', '\317', + '\320', '\321', '\322', '\323', '\324', '\325', '\326', '\327', + '\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337', + '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347', + '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', + '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', + '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377', }; int strcasecmp(const char *s1, const char *s2) { @@ -304,8 +304,8 @@ int strncasecmp(const char *s1, const char *s2, size_t n) { /* **************************************** */ u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher) { - /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */ - /* INSECURE */ + /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */ + /* INSECURE */ switch(cipher) { case 0xc011: return(NDPI_CIPHER_INSECURE); /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */ case 0x0005: return(NDPI_CIPHER_INSECURE); /* TLS_RSA_WITH_RC4_128_SHA */ @@ -360,9 +360,9 @@ const char* ndpi_cipher2str(u_int32_t cipher) { case 0x000019: return("TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"); case 0x00001a: return("TLS_DH_anon_WITH_DES_CBC_SHA"); case 0x00001b: return("TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"); - case 0x00001c: return("SSL_FORTEZZA_KEA_WITH_NULL_SHA"); - case 0x00001d: return("SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"); - /* case 0x00001e: return("SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"); */ + case 0x00001c: return("TLS_FORTEZZA_KEA_WITH_NULL_SHA"); + case 0x00001d: return("TLS_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"); + /* case 0x00001e: return("TLS_FORTEZZA_KEA_WITH_RC4_128_SHA"); */ case 0x00001E: return("TLS_KRB5_WITH_DES_CBC_SHA"); case 0x00001F: return("TLS_KRB5_WITH_3DES_EDE_CBC_SHA"); case 0x000020: return("TLS_KRB5_WITH_RC4_128_SHA"); @@ -576,10 +576,10 @@ const char* ndpi_cipher2str(u_int32_t cipher) { case 0x00E41D: return("TLS_DHE_PSK_WITH_SALSA20_SHA1"); case 0x00E41E: return("TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1"); case 0x00E41F: return("TLS_DHE_RSA_WITH_SALSA20_SHA1"); - case 0x00fefe: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA"); - case 0x00feff: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); - case 0x00ffe0: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); - case 0x00ffe1: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA"); + case 0x00fefe: return("TLS_RSA_FIPS_WITH_DES_CBC_SHA"); + case 0x00feff: return("TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); + case 0x00ffe0: return("TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); + case 0x00ffe1: return("TLS_RSA_FIPS_WITH_DES_CBC_SHA"); case 0x010080: return("SSL2_RC4_128_WITH_MD5"); case 0x020080: return("SSL2_RC4_128_EXPORT40_WITH_MD5"); case 0x030080: return("SSL2_RC2_128_CBC_WITH_MD5"); @@ -637,7 +637,7 @@ static int ndpi_find_non_eng_bigrams(struct ndpi_detection_module_struct *ndpi_s || ndpi_is_other_char(str[1]) ) return(1); - + s[0] = tolower(str[0]), s[1] = tolower(str[1]), s[2] = '\0'; return(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, s)); @@ -655,10 +655,10 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st if(buffer_size <= 0) return(0); - + outbuf_len--; outbuf[outbuf_len] = '\0'; - + for(i=0; i<buffer_size-2; i++) { if(ndpi_is_valid_char(buffer[i]) && ndpi_is_valid_char(buffer[i+1]) @@ -687,14 +687,14 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st being_o_idx = o_idx; outbuf[o_idx] = '\0'; } - + #ifdef PRINT_STRINGS printf(" [len: %u]%s\n", len, ret ? "<-- HIT" : ""); #endif if(ret) break; - + do_cr = 0, len = 0; } } @@ -713,11 +713,13 @@ char* ndpi_ssl_version2str(u_int16_t version) { static char v[8]; switch(version) { - case 0x300: return("SSLv3"); - case 0x301: return("TLSv1"); - case 0x302: return("TLSv1.1"); - case 0x303: return("TLSv1.2"); - case 0x304: return("TLSv1.3"); + case 0x0300: return("SSLv3"); + case 0x0301: return("TLSv1"); + case 0x0302: return("TLSv1.1"); + case 0x0303: return("TLSv1.2"); + case 0x0304: return("TLSv1.3"); + case 0xfeff: return("DTLSv1.0"); + case 0xfefd: return("DTLSv1.2"); } if((version >= 0x7f00) && (version <= 0x7fff)) @@ -728,826 +730,3 @@ char* ndpi_ssl_version2str(u_int16_t version) { } /* ********************************** */ -/* ********************************** */ - -static u_int64_t ndpi_htonll(u_int64_t v) { - union { u_int32_t lv[2]; u_int64_t llv; } u; - u.lv[0] = htonl(v >> 32); - u.lv[1] = htonl(v & 0xFFFFFFFFULL); - return u.llv; -} - -/* ********************************** */ - -static u_int64_t ndpi_ntohll(u_int64_t v) { - union { u_int32_t lv[2]; u_int64_t llv; } u; - u.llv = v; - return ((u_int64_t)ntohl(u.lv[0]) << 32) | (u_int64_t)ntohl(u.lv[1]); -} - -/* ********************************** */ - -/* - * Escapes a string to be suitable for a JSON value, adding double quotes, and terminating the string with a null byte. - * It is recommended to provide a destination buffer (dst) which is as large as double the source buffer (src) at least. - * Upon successful return, these functions return the number of characters printed (excluding the null byte used to terminate the string). - */ -static int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst_max_len) { - char c = 0; - int i, j = 0; - - dst[j++] = '"'; - - for (i = 0; i < src_len && j < dst_max_len; i++) { - - c = src[i]; - - switch (c) { - case '\\': - case '"': - case '/': - dst[j++] = '\\'; - dst[j++] = c; - break; - case '\b': - dst[j++] = '\\'; - dst[j++] = 'b'; - break; - case '\t': - dst[j++] = '\\'; - dst[j++] = 't'; - break; - case '\n': - dst[j++] = '\\'; - dst[j++] = 'n'; - break; - case '\f': - dst[j++] = '\\'; - dst[j++] = 'f'; - break; - case '\r': - dst[j++] = '\\'; - dst[j++] = 'r'; - break; - default: - if (c < ' ') - ; /* non printable */ - else - dst[j++] = c; - } - } - - dst[j++] = '"'; - dst[j+1] = '\0'; - - return j; -} - -/* ********************************** */ - -void ndpi_reset_serializer(ndpi_serializer *serializer) { - serializer->size_used = 2 * sizeof(u_int8_t); - if (serializer->fmt == ndpi_serialization_format_json) { - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - /* Note: please keep a space at the beginning as it is used for arrays when an end-of-record is used */ - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, " {}"); - } -} - -/* ********************************** */ - -int ndpi_init_serializer(ndpi_serializer *serializer, - ndpi_serialization_format fmt) { - serializer->buffer_size = 8192; - serializer->buffer = (u_int8_t *) malloc(serializer->buffer_size * sizeof(u_int8_t)); - - if (serializer->buffer == NULL) - return(-1); - - serializer->fmt = fmt; - - serializer->buffer[0] = 1; /* version */ - serializer->buffer[1] = (u_int8_t) fmt; - - ndpi_reset_serializer(serializer); - - if (fmt == ndpi_serialization_format_json) - serializer->json_buffer = (char *) &serializer->buffer[2]; - - return(1); -} - -/* ********************************** */ - -void ndpi_term_serializer(ndpi_serializer *serializer) { - if(serializer->buffer) { - free(serializer->buffer); - serializer->buffer_size = 0; - serializer->buffer = NULL; - } -} - -/* ********************************** */ - -static int ndpi_extend_serializer_buffer(ndpi_serializer *serializer, u_int32_t min_len) { - u_int32_t new_size; - void *r; - - if (min_len < 1024) - min_len = 1024; - - new_size = serializer->buffer_size + min_len; - - r = realloc((void *) serializer->buffer, new_size); - - if(r == NULL) - return(-1); - - serializer->buffer = r; - serializer->buffer_size = new_size; - - return(0); -} - -/* ********************************** */ - -static void ndpi_serialize_single_uint32(ndpi_serializer *serializer, - u_int32_t s) { - - u_int32_t v = htonl(s); - - memcpy(&serializer->buffer[serializer->size_used], &v, sizeof(u_int32_t)); - serializer->size_used += sizeof(u_int32_t); -} - -/* ********************************** */ - -static void ndpi_serialize_single_uint64(ndpi_serializer *serializer, - u_int64_t s) { - - u_int64_t v = ndpi_htonll(s); - - memcpy(&serializer->buffer[serializer->size_used], &v, sizeof(u_int64_t)); - serializer->size_used += sizeof(u_int64_t); -} - -/* ********************************** */ - -static void ndpi_serialize_single_string(ndpi_serializer *serializer, - const char *s, u_int16_t slen) { - u_int16_t l = htons(slen); - - memcpy(&serializer->buffer[serializer->size_used], &l, sizeof(u_int16_t)); - serializer->size_used += sizeof(u_int16_t); - - if (slen > 0) - memcpy(&serializer->buffer[serializer->size_used], s, slen); - - serializer->size_used += slen; -} - -/* ********************************** */ - -static void ndpi_deserialize_single_uint32(ndpi_serializer *deserializer, - u_int32_t *s) { - *s = ntohl(*((u_int32_t *) &deserializer->buffer[deserializer->size_used])); - deserializer->size_used += sizeof(u_int32_t); -} - -/* ********************************** */ - -static void ndpi_deserialize_single_int32(ndpi_serializer *deserializer, - int32_t *s) { - *s = ntohl(*((int32_t *) &deserializer->buffer[deserializer->size_used])); - deserializer->size_used += sizeof(int32_t); -} - -/* ********************************** */ - -static void ndpi_deserialize_single_uint64(ndpi_serializer *deserializer, - u_int64_t *s) { - *s = ndpi_ntohll(*(u_int64_t*)&deserializer->buffer[deserializer->size_used]); - deserializer->size_used += sizeof(u_int64_t); -} - -/* ********************************** */ - -static void ndpi_deserialize_single_int64(ndpi_serializer *deserializer, - int64_t *s) { - *s = ndpi_ntohll(*(int64_t*)&deserializer->buffer[deserializer->size_used]); - deserializer->size_used += sizeof(int64_t); -} - -/* ********************************** */ - -static void ndpi_deserialize_single_string(ndpi_serializer *deserializer, - ndpi_string *v) { - v->str_len = ntohs(*((u_int16_t *) &deserializer->buffer[deserializer->size_used])); - deserializer->size_used += sizeof(u_int16_t); - - v->str = (char *) &deserializer->buffer[deserializer->size_used]; - deserializer->size_used += v->str_len; -} - -/* ********************************** */ - -int ndpi_serialize_end_of_record(ndpi_serializer *serializer) { - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int16_t needed = - sizeof(u_int8_t) /* type */; - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 1; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - if (!(serializer->status & NDPI_SERIALIZER_STATUS_ARRAY)) { - serializer->json_buffer[0] = '['; - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, "]"); - } - serializer->status |= NDPI_SERIALIZER_STATUS_ARRAY | NDPI_SERIALIZER_STATUS_EOR; - serializer->status &= ~NDPI_SERIALIZER_STATUS_COMMA; - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_end_of_record; - } - - return(0); -} - -/* ********************************** */ - -static void ndpi_serialize_json_pre(ndpi_serializer *serializer) { - if (serializer->status & NDPI_SERIALIZER_STATUS_EOR) { - serializer->size_used--; /* Remove ']' */ - serializer->status &= ~NDPI_SERIALIZER_STATUS_EOR; - serializer->buffer[serializer->size_used++] = ','; - serializer->buffer[serializer->size_used++] = '{'; - } else { - if (serializer->status & NDPI_SERIALIZER_STATUS_ARRAY) - serializer->size_used--; /* Remove ']'*/ - serializer->size_used--; /* Remove '}'*/ - } - if (serializer->status & NDPI_SERIALIZER_STATUS_COMMA) - serializer->buffer[serializer->size_used++] = ','; -} - -/* ********************************** */ - -static void ndpi_serialize_json_post(ndpi_serializer *serializer) { - serializer->buffer[serializer->size_used++] = '}'; - if (serializer->status & NDPI_SERIALIZER_STATUS_ARRAY) - serializer->buffer[serializer->size_used++] = ']'; - - serializer->status |= NDPI_SERIALIZER_STATUS_COMMA; -} - -/* ********************************** */ - -int ndpi_serialize_uint32_uint32(ndpi_serializer *serializer, - u_int32_t key, u_int32_t value) { - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int16_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int32_t) /* key */ + - sizeof(u_int32_t); - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 24; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - "\"%u\":%u", key, value); - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_uint32_uint32; - - ndpi_serialize_single_uint32(serializer, key); - ndpi_serialize_single_uint32(serializer, value); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_uint32_uint64(ndpi_serializer *serializer, - u_int32_t key, u_int64_t value) { - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int16_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int32_t) /* key */ + - sizeof(u_int64_t); - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 32; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - "\"%u\":%llu", key, (unsigned long long)value); - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_uint32_uint64; - - ndpi_serialize_single_uint32(serializer, key); - ndpi_serialize_single_uint64(serializer, value); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_uint32_string(ndpi_serializer *serializer, - u_int32_t key, const char *value) { - u_int16_t slen = strlen(value); - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int32_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int32_t) /* key */ + - sizeof(u_int16_t) /* len */ + - slen; - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 24 + slen; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - "\"%u\":", key); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += ndpi_json_string_escape(value, slen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_uint32_string; - - ndpi_serialize_single_uint32(serializer, key); - ndpi_serialize_single_string(serializer, value, slen); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_string_int32(ndpi_serializer *serializer, - const char *key, int32_t value) { - u_int16_t klen = strlen(key); - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int32_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - klen /* key */ + - sizeof(u_int32_t); - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 16 + klen; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += ndpi_json_string_escape(key, klen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - ":%d", value); - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_string_int32; - - ndpi_serialize_single_string(serializer, key, klen); - ndpi_serialize_single_uint32(serializer, value); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_string_int64(ndpi_serializer *serializer, - const char *key, int64_t value) { - u_int16_t klen = strlen(key); - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int32_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - klen /* key */ + - sizeof(u_int32_t); - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 16 + klen; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += ndpi_json_string_escape(key, klen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - ":%lld", value); - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_string_int64; - - ndpi_serialize_single_string(serializer, key, klen); - ndpi_serialize_single_uint32(serializer, value); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_string_uint32(ndpi_serializer *serializer, - const char *key, u_int32_t value) { - u_int16_t klen = strlen(key); - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int32_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - klen /* key */ + - sizeof(u_int32_t); - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 16 + klen; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += ndpi_json_string_escape(key, klen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - ":%u", value); - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_string_uint32; - - ndpi_serialize_single_string(serializer, key, klen); - ndpi_serialize_single_uint32(serializer, value); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_string_uint64(ndpi_serializer *serializer, - const char *key, u_int64_t value) { - u_int16_t klen = strlen(key); - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - u_int32_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - klen /* key */ + - sizeof(u_int64_t); - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 32 + klen; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += ndpi_json_string_escape(key, klen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, - ":%llu", (unsigned long long)value); - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_string_uint64; - - ndpi_serialize_single_string(serializer, key, klen); - ndpi_serialize_single_uint64(serializer, value); - } - - return(0); -} - -/* ********************************** */ - -int ndpi_serialize_string_string(ndpi_serializer *serializer, - const char *key, const char *value) { - u_int16_t klen = strlen(key), vlen = strlen(value); - u_int32_t needed = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - klen + - sizeof(u_int16_t) /* len */ + - vlen; - u_int32_t buff_diff = serializer->buffer_size - serializer->size_used; - - if(serializer->fmt == ndpi_serialization_format_json) - needed += 16 + klen + vlen; - - if(buff_diff < needed) { - if (ndpi_extend_serializer_buffer(serializer, needed - buff_diff) < 0) - return(-1); - buff_diff = serializer->buffer_size - serializer->size_used; - } - - if(serializer->fmt == ndpi_serialization_format_json) { - ndpi_serialize_json_pre(serializer); - serializer->size_used += ndpi_json_string_escape(key, klen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += snprintf((char *) &serializer->buffer[serializer->size_used], buff_diff, ":"); - buff_diff = serializer->buffer_size - serializer->size_used; - serializer->size_used += ndpi_json_string_escape(value, vlen, - (char *) &serializer->buffer[serializer->size_used], buff_diff); - buff_diff = serializer->buffer_size - serializer->size_used; - ndpi_serialize_json_post(serializer); - } else { - serializer->buffer[serializer->size_used++] = ndpi_serialization_string_string; - - ndpi_serialize_single_string(serializer, key, klen); - ndpi_serialize_single_string(serializer, value, vlen); - } - - return(0); -} - -/* ********************************** */ -/* ********************************** */ - -int ndpi_init_deserializer_buf(ndpi_deserializer *deserializer, - u_int8_t *serialized_buffer, - u_int32_t serialized_buffer_len) { - if(serialized_buffer_len < (2 * sizeof(u_int8_t))) - return(-1); - - deserializer->buffer = serialized_buffer; - - if(deserializer->buffer[0] != 1) - return(-2); /* Invalid version */ - - deserializer->buffer_size = serialized_buffer_len; - deserializer->fmt = deserializer->buffer[1]; - ndpi_reset_serializer(deserializer); - - return(0); -} - -/* ********************************** */ - -int ndpi_init_deserializer(ndpi_deserializer *deserializer, - ndpi_serializer *serializer) { - return(ndpi_init_deserializer_buf(deserializer, - serializer->buffer, - serializer->size_used)); -} - -/* ********************************** */ - -ndpi_serialization_element_type ndpi_deserialize_get_nextitem_type(ndpi_deserializer *deserializer) { - ndpi_serialization_element_type et; - - if(deserializer->size_used >= deserializer->buffer_size) - return(ndpi_serialization_unknown); - - et = (ndpi_serialization_element_type) deserializer->buffer[deserializer->size_used]; - - return et; -} - -/* ********************************** */ - -int ndpi_deserialize_end_of_record(ndpi_deserializer *deserializer) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_end_of_record) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int16_t expected = - sizeof(u_int8_t) /* type */; - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_uint32_uint32(ndpi_deserializer *deserializer, - u_int32_t *key, u_int32_t *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_uint32_uint32) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int16_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int32_t) /* key */ + - sizeof(u_int32_t); - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_uint32(deserializer, key); - ndpi_deserialize_single_uint32(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_uint32_uint64(ndpi_deserializer *deserializer, - u_int32_t *key, u_int64_t *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_uint32_uint64) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int16_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int32_t) /* key */ + - sizeof(u_int64_t); - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_uint32(deserializer, key); - ndpi_deserialize_single_uint64(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_uint32_string(ndpi_deserializer *deserializer, - u_int32_t *key, ndpi_string *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_uint32_string) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int32_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int32_t) /* key */ + - sizeof(u_int16_t) /* len */; - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_uint32(deserializer, key); - ndpi_deserialize_single_string(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_string_int32(ndpi_deserializer *deserializer, - ndpi_string *key, int32_t *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_string_int32) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int32_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - sizeof(int32_t); - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_string(deserializer, key); - ndpi_deserialize_single_int32(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_string_int64(ndpi_deserializer *deserializer, - ndpi_string *key, int64_t *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_string_int64) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int32_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - sizeof(int64_t); - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_string(deserializer, key); - ndpi_deserialize_single_int64(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_string_uint32(ndpi_deserializer *deserializer, - ndpi_string *key, u_int32_t *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_string_uint32) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int32_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - sizeof(u_int32_t); - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_string(deserializer, key); - ndpi_deserialize_single_uint32(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_string_uint64(ndpi_deserializer *deserializer, - ndpi_string *key, u_int64_t *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_string_uint64) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int32_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - sizeof(u_int64_t); - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_string(deserializer, key); - ndpi_deserialize_single_uint64(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - -int ndpi_deserialize_string_string(ndpi_deserializer *deserializer, - ndpi_string *key, ndpi_string *value) { - if(ndpi_deserialize_get_nextitem_type(deserializer) == ndpi_serialization_string_string) { - u_int32_t buff_diff = deserializer->buffer_size - deserializer->size_used; - u_int32_t expected = - sizeof(u_int8_t) /* type */ + - sizeof(u_int16_t) /* key len */ + - sizeof(u_int16_t) /* len */; - - if(buff_diff < expected) return(-2); - - deserializer->size_used++; /* Skip element type */ - ndpi_deserialize_single_string(deserializer, key); - ndpi_deserialize_single_string(deserializer, value); - - return(0); - } else - return(-1); -} - -/* ********************************** */ - diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 19582724d..563540fba 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -58,9 +58,9 @@ static u_int16_t parse_binf_message(struct ndpi_detection_module_struct u_int16_t ssl_port = 0; while (i < payload_len) { i = skip_unknown_headers(payload, payload_len, i); - if ((i + 30) < payload_len) { - if (memcmp(&payload[i], "DCTM", 4) == 0) { - if (memcmp(&payload[i + 15], "ADCS", 4) == 0) { + if((i + 30) < payload_len) { + if(memcmp(&payload[i], "DCTM", 4) == 0) { + if(memcmp(&payload[i + 15], "ADCS", 4) == 0) { ssl_port = ntohs_ndpi_bytestream_to_number(&payload[i + 25], 5, &bytes_read); NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ssl_port); } @@ -84,15 +84,15 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); - if (src != NULL) { + if(src != NULL) { src->directconnect_last_safe_access_time = packet->tick_timestamp; - if (connection_type == DIRECT_CONNECT_TYPE_PEER) { - if (packet->tcp != NULL + if(connection_type == DIRECT_CONNECT_TYPE_PEER) { + if(packet->tcp != NULL && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { src->detected_directconnect_port = packet->tcp->source; NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); } - if (packet->udp != NULL && src->detected_directconnect_udp_port == 0) { + if(packet->udp != NULL && src->detected_directconnect_udp_port == 0) { src->detected_directconnect_udp_port = packet->udp->source; NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); @@ -100,10 +100,10 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s } } - if (dst != NULL) { + if(dst != NULL) { dst->directconnect_last_safe_access_time = packet->tick_timestamp; - if (connection_type == DIRECT_CONNECT_TYPE_PEER) { - if (packet->tcp != NULL + if(connection_type == DIRECT_CONNECT_TYPE_PEER) { + if(packet->tcp != NULL && flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) { /* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS * seen at large customer http servers, where someone has send faked DC tcp packets @@ -121,35 +121,34 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s } } -static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { - if (packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) { - u_int16_t ssl_port = 0; - ssl_port = parse_binf_message(ndpi_struct, &packet->payload[4], packet->payload_packet_len - 4); - if (dst != NULL && ssl_port) { + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { + if(packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) { + u_int16_t ssl_port = parse_binf_message(ndpi_struct, + &packet->payload[4], + packet->payload_packet_len - 4); + if(dst != NULL && ssl_port) dst->detected_directconnect_ssl_port = ssl_port; - } - if (src != NULL && ssl_port) { + + if(src != NULL && ssl_port) src->detected_directconnect_ssl_port = ssl_port; - } - - } - if ((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42) + + if((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42) && memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) { u_int16_t bytes_read = 0; - if (dst != NULL) { + if(dst != NULL) { dst->detected_directconnect_ssl_port = ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port)); } - if (src != NULL) { + if(src != NULL) { src->detected_directconnect_ssl_port = ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port)); @@ -160,9 +159,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n return; } - if (src != NULL) { - if (src->detected_directconnect_port == packet->tcp->source) { - if ((u_int32_t) + if(src != NULL) { + if(src->detected_directconnect_port == packet->tcp->source) { + if((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { src->directconnect_last_safe_access_time = packet->tick_timestamp; @@ -175,8 +174,8 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n return; } } - if (src->detected_directconnect_ssl_port == packet->tcp->dest) { - if ((u_int32_t) + if(src->detected_directconnect_ssl_port == packet->tcp->dest) { + if((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { src->directconnect_last_safe_access_time = packet->tick_timestamp; @@ -192,9 +191,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } - if (dst != NULL) { - if (dst->detected_directconnect_port == packet->tcp->dest) { - if ((u_int32_t) + if(dst != NULL) { + if(dst->detected_directconnect_port == packet->tcp->dest) { + if((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { dst->directconnect_last_safe_access_time = packet->tick_timestamp; @@ -207,8 +206,8 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n return; } } - if (dst->detected_directconnect_ssl_port == packet->tcp->dest) { - if ((u_int32_t) + if(dst->detected_directconnect_ssl_port == packet->tcp->dest) { + if((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { dst->directconnect_last_safe_access_time = packet->tick_timestamp; @@ -224,17 +223,17 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } - if (flow->directconnect_stage == 0) { + if(flow->directconnect_stage == 0) { - if (packet->payload_packet_len > 6) { - if (packet->payload[0] == '$' + if(packet->payload_packet_len > 6) { + if(packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && (memcmp(&packet->payload[1], "Lock ", 5) == 0)) { NDPI_LOG_DBG2(ndpi_struct, "maybe first dc connect to hub detected\n"); flow->directconnect_stage = 1; return; } - if (packet->payload_packet_len > 7 + if(packet->payload_packet_len > 7 && packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && (memcmp(&packet->payload[1], "MyNick ", 7) == 0)) { @@ -244,15 +243,15 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } } - if (packet->payload_packet_len >= 11) { + if(packet->payload_packet_len >= 11) { /* did not see this pattern in any trace */ - if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0 + if(memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) { NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS0 E\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB); return; /* did not see this pattern in any trace */ - } else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 || + } else if(memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) { NDPI_LOG_INFO(ndpi_struct, "found DC CSUP ADBAS0 E\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_ADC_PEER); @@ -262,16 +261,16 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } - } else if (flow->directconnect_stage == 1) { - if (packet->payload_packet_len >= 11) { + } else if(flow->directconnect_stage == 1) { + if(packet->payload_packet_len >= 11) { /* did not see this pattern in any trace */ - if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0 + if(memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) { NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS E in second packet\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB); return; /* did not see this pattern in any trace */ - } else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 || + } else if(memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) { NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS0 E in second packet\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_ADC_PEER); @@ -280,8 +279,8 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } } /* get client hello answer or server message */ - if (packet->payload_packet_len > 6) { - if ((packet->payload[0] == '$' || packet->payload[0] == '<') + if(packet->payload_packet_len > 6) { + if((packet->payload[0] == '$' || packet->payload[0] == '<') && packet->payload[packet->payload_packet_len - 1] == '|') { NDPI_LOG_INFO(ndpi_struct, "found DC second\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB); @@ -291,10 +290,10 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } } - } else if (flow->directconnect_stage == 2) { + } else if(flow->directconnect_stage == 2) { /* get client hello answer or server message */ - if (packet->payload_packet_len > 6) { - if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|') { + if(packet->payload_packet_len > 6) { + if(packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|') { NDPI_LOG_INFO(ndpi_struct, "found DC between peers\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); return; @@ -318,8 +317,8 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct struct ndpi_id_struct *dst = flow->dst; int pos, count = 0; - if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { - if ((u_int32_t) + if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { + if((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { @@ -334,21 +333,21 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct } } - if (packet->payload_packet_len > 58) { - if (src != NULL + if(packet->payload_packet_len > 58) { + if(src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if (packet->payload[0] == '$' + if(packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && memcmp(&packet->payload[1], "SR ", 3) == 0) { pos = packet->payload_packet_len - 2; - if (packet->payload[pos] == ')') { + if(packet->payload[pos] == ')') { while (pos > 0 && packet->payload[pos] != '(' && count < 21) { pos--; count++; } - if (packet->payload[pos] == '(') { + if(packet->payload[pos] == '(') { pos = pos - 44; - if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { + if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); return; @@ -356,25 +355,25 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct } } flow->directconnect_stage++; - if (flow->directconnect_stage < 3) + if(flow->directconnect_stage < 3) return; } } - if (dst != NULL + if(dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if (packet->payload[0] == '$' + if(packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && memcmp(&packet->payload[1], "SR ", 3) == 0) { pos = packet->payload_packet_len - 2; - if (packet->payload[pos] == ')') { + if(packet->payload[pos] == ')') { while (pos > 0 && packet->payload[pos] != '(' && count < 21) { pos--; count++; } - if (packet->payload[pos] == '(') { + if(packet->payload[pos] == '(') { pos = pos - 44; - if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { + if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); return; @@ -382,7 +381,7 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct } } flow->directconnect_stage++; - if (flow->directconnect_stage < 3) + if(flow->directconnect_stage < 3) return; } } @@ -404,14 +403,14 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct NDPI_LOG_DBG(ndpi_struct, "search DC\n"); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { - if (src != NULL && ((u_int32_t) + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { + if(src != NULL && ((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout)) { src->directconnect_last_safe_access_time = packet->tick_timestamp; - } else if (dst != NULL && ((u_int32_t) + } else if(dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout)) { @@ -423,9 +422,9 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct return; } - if (packet->tcp != NULL) { + if(packet->tcp != NULL) { ndpi_search_directconnect_tcp(ndpi_struct, flow); - } else if (packet->udp != NULL) { + } else if(packet->udp != NULL) { ndpi_search_directconnect_udp(ndpi_struct, flow); } } diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index dc97f3fe7..6a4a02f60 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -128,19 +128,17 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd || ((dns_header.num_answers == 0) && (dns_header.authority_rrs == 0)))) { /* This is a good query */ - if(dns_header.num_queries > 0) { - while(x < flow->packet.payload_packet_len) { - if(flow->packet.payload[x] == '\0') { - x++; - flow->protos.dns.query_type = get16(&x, flow->packet.payload); + while(x < flow->packet.payload_packet_len) { + if(flow->packet.payload[x] == '\0') { + x++; + flow->protos.dns.query_type = get16(&x, flow->packet.payload); #ifdef DNS_DEBUG - NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); + NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); #endif - break; - } else - x++; - } - } + break; + } else + x++; + } } else invalid = 1; } else { @@ -222,15 +220,19 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd off = sizeof(struct ndpi_dns_packet_header) + payload_offset; while(j < max_len && off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') { - uint8_t c,cl = flow->packet.payload[off++]; + uint8_t c, cl = flow->packet.payload[off++]; + if( (cl & 0xc0) != 0 || // we not support compressed names in query - off + cl >= flow->packet.payload_packet_len) { - j = 0; break; + off + cl >= flow->packet.payload_packet_len) { + j = 0; + break; } + if(j && j < max_len) flow->host_server_name[j++] = '.'; + while(j < max_len && cl != 0) { c = flow->packet.payload[off++]; - flow->host_server_name[j++] = dns_validchar[c >> 5] & (1 << (c & 0x1f)) ? c:'_'; + flow->host_server_name[j++] = (dns_validchar[c >> 5] & (1 << (c & 0x1f))) ? c : '_'; cl--; } } diff --git a/src/lib/protocols/hangout.c b/src/lib/protocols/hangout.c index 99bf879cb..c96b36018 100644 --- a/src/lib/protocols/hangout.c +++ b/src/lib/protocols/hangout.c @@ -22,8 +22,12 @@ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HANGOUT_DUO +/* #define DEBUG_LRU 1 */ + #include "ndpi_api.h" +/* stun.c */ +extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow); /* https://support.google.com/a/answer/1279090?hl=en */ #define HANGOUT_UDP_LOW_PORT 19302 @@ -85,11 +89,29 @@ void ndpi_search_hangout(struct ndpi_detection_module_struct *ndpi_struct, if((packet->payload_packet_len > 24) && is_google_flow(ndpi_struct, flow)) { if( - ((packet->udp != NULL) && (isHangoutUDPPort(ntohs(packet->udp->source)) || isHangoutUDPPort(ntohs(packet->udp->dest)))) + ((packet->udp != NULL) && (isHangoutUDPPort(ntohs(packet->udp->source)) + || isHangoutUDPPort(ntohs(packet->udp->dest)))) || - ((packet->tcp != NULL) && (isHangoutTCPPort(ntohs(packet->tcp->source)) || isHangoutTCPPort(ntohs(packet->tcp->dest))))) { + ((packet->tcp != NULL) && (isHangoutTCPPort(ntohs(packet->tcp->source)) + || isHangoutTCPPort(ntohs(packet->tcp->dest))))) { NDPI_LOG_INFO(ndpi_struct, "found Hangout\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_UNKNOWN); + + /* Hangout is over STUN hence the LRU cache is shared */ + if(ndpi_struct->stun_cache == NULL) + ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); + + if(ndpi_struct->stun_cache && flow->packet.iph && flow->packet.udp) { + u_int32_t key = get_stun_lru_key(flow); + +#ifdef DEBUG_LRU + printf("[LRU] ADDING %u / %u.%u\n", key, NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_HANGOUT_DUO); +#endif + + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, NDPI_PROTOCOL_HANGOUT_DUO); + } + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, + NDPI_PROTOCOL_STUN); return; } } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1e066c3ac..cd5f193db 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -35,7 +35,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd printf("[%s] [http_dont_dissect_response: %u]->> %s\n", __FUNCTION__, ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); #endif - + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ @@ -157,7 +157,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #endif /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - + /* if(!ndpi_struct->http_dont_dissect_response) */ { if((flow->http.url == NULL) && (packet->http_url_name.len > 0) @@ -320,7 +320,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ /** check result of host subprotocol detection - + if "detected" in flow == 0 then "detected" = "guess" else "guess" = "detected" **/ @@ -338,7 +338,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(flow->detected_protocol_stack[0] != flow->guessed_host_protocol_id) flow->guessed_host_protocol_id = flow->detected_protocol_stack[0]; } - + if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected) && (packet->http_origin.len > 0)) { @@ -480,17 +480,17 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->payload_packet_len >= 12) { char buf[4]; - + /* Set server HTTP response code */ strncpy(buf, (char*)&packet->payload[9], 3); buf[3] = '\0'; - + flow->http.response_status_code = atoi(buf); /* https://en.wikipedia.org/wiki/List_of_HTTP_status_codes */ if((flow->http.response_status_code < 100) || (flow->http.response_status_code > 509)) flow->http.response_status_code = 0; /* Out of range */ } - + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); return; @@ -533,14 +533,14 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_struct->ookla_cache == NULL) ndpi_struct->ookla_cache = ndpi_lru_cache_init(1024); - + if(packet->iph != NULL && ndpi_struct->ookla_cache != NULL) { if(packet->tcp->source == htons(8080)) - ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, packet->iph->saddr); + ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, packet->iph->saddr, 1 /* dummy */); else - ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, packet->iph->daddr); + ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, packet->iph->daddr, 1 /* dummy */); } - + return; } diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 65341cdc8..69d135943 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -48,7 +48,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, if (flow->l4.tcp.mail_imap_starttls == 2) { NDPI_LOG_DBG2(ndpi_struct, "starttls detected\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_IMAP); - NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL); + NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TLS); return; } diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c index 8ab45ad32..8d52d690b 100644 --- a/src/lib/protocols/msn.c +++ b/src/lib/protocols/msn.c @@ -62,7 +62,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int16_t plen; u_int16_t status = 0; - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { NDPI_LOG_DBG2(ndpi_struct, "msn ssl ft test\n"); @@ -103,7 +103,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct */ /* now we have a look at the first packet only. */ if(flow->packet_counter == 1 - || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) + || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) && flow->packet_counter <= 3) ) { @@ -497,7 +497,7 @@ void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct nd // need to do the ceck when protocol == http too (POST /gateway ...) if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP - || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL + || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN ) ndpi_search_msn_tcp(ndpi_struct, flow); diff --git a/src/lib/protocols/ookla.c b/src/lib/protocols/ookla.c index 44746fbd3..f3c2108bc 100644 --- a/src/lib/protocols/ookla.c +++ b/src/lib/protocols/ookla.c @@ -38,7 +38,9 @@ void ndpi_search_ookla(struct ndpi_detection_module_struct* ndpi_struct, struct goto ookla_exclude; if(ndpi_struct->ookla_cache != NULL) { - if(ndpi_lru_find_cache(ndpi_struct->ookla_cache, addr, 0 /* Don't remove it as it can be used for other connections */)) { + u_int16_t dummy; + + if(ndpi_lru_find_cache(ndpi_struct->ookla_cache, addr, &dummy, 0 /* Don't remove it as it can be used for other connections */)) { NDPI_LOG_INFO(ndpi_struct, "found ookla tcp connection\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); return; diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 6d4d45044..87378ea61 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -83,15 +83,27 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, ) { int i; - if((packet->payload[1] == 'Q') && (packet->payload[2] == '0') && (packet->payload[3] == '4') - && (packet->payload[4] == '6')) + && (packet->payload[4] == '6') + && (version_len == 1) + ) quic_hlen = 18; /* TODO: Better handle Q046 */ else { + u_int16_t potential_stun_len = ntohs((*((u_int16_t*)&packet->payload[2]))); + if((version_len > 0) && (packet->payload[1+cid_len] != 'Q')) goto no_quic; + + if((version_len == 0) && ((packet->payload[0] & 0xC3 /* ignore CID len/packet number */) != 0)) + goto no_quic; + + + /* Heuristic to see if this packet could be a STUN packet */ + if((potential_stun_len /* STUN message len */ < udp_len) + && ((potential_stun_len+25 /* Attribute header overhead we assume is max */) /* STUN message len */ > udp_len)) + return; /* This could be STUN, let's skip this packet */ NDPI_LOG_INFO(ndpi_struct, "found QUIC\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index bd0179287..90b73ab1e 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -58,14 +58,14 @@ static u_int8_t isValidMSRTPType(u_int8_t payloadType) { case 127: /* x-data */ return(1 /* RTP */); break; - + case 200: /* RTCP PACKET SENDER */ case 201: /* RTCP PACKET RECEIVER */ case 202: /* RTCP Source Description */ case 203: /* RTCP Bye */ return(2 /* RTCP */); break; - + default: return(0); } @@ -78,8 +78,10 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, const u_int8_t * payload, const u_int16_t payload_len) { NDPI_LOG_DBG(ndpi_struct, "search RTP\n"); - if (payload_len < 2) + if((payload_len < 2) || flow->protos.stun_ssl.stun.num_binding_requests) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; + } //struct ndpi_packet_struct *packet = &flow->packet; u_int8_t payloadType, payload_type = payload[1] & 0x7F; @@ -91,17 +93,17 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, && ((payload_type <= 34) || ((payload_type >= 96) && (payload_type <= 127)) /* http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xhtml */ - ) - ) { + ) + ) { struct ndpi_packet_struct *packet = &flow->packet; - + if(packet->iph) { /* 125.209.252.xxx */ if(((ntohl(packet->iph->saddr) & 0xFFFFFF00 /* 255.255.255.0 */) == 0x7DD1FC00) || ((ntohl(packet->iph->daddr) & 0xFFFFFF00 /* 255.255.255.0 */) == 0x7DD1FC00)) { if((flow->packet.payload[0] == 0x80) && ((flow->packet.payload[1] == 0x78) || (flow->packet.payload[1] == 0xE8)) - ) { + ) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LINE, NDPI_PROTOCOL_LINE); return; } @@ -112,7 +114,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_UNKNOWN); return; } else if((payload_len >= 12) - && (((payload[0] & 0xFF) == 0x80) || ((payload[0] & 0xFF) == 0xA0)) /* RTP magic byte[1] */ + && (((payload[0] & 0xFF) == 0x80) || ((payload[0] & 0xFF) == 0xA0)) /* RTP magic byte[1] */ && (payloadType = isValidMSRTPType(payload[1] & 0xFF))) { if(payloadType == 1 /* RTP */) { NDPI_LOG_INFO(ndpi_struct, "Found Skype for Business (former MS Lync)\n"); @@ -126,7 +128,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; #endif } - } + } /* No luck this time */ NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -139,7 +141,7 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; /* printf("*** %s(pkt=%d)\n", __FUNCTION__, flow->packet_counter); */ - + if((packet->udp != NULL) /* && (ntohs(packet->udp->source) > 1023) */ && (ntohs(packet->udp->dest) > 1023)) @@ -204,14 +206,14 @@ u_int16_t update_seq(struct ndpi_detection_module_struct *ndpi_struct, struct nd u_int16_t delta = seq - flow->rtp_seqnum[direction]; - if (delta < RTP_MAX_OUT_OF_ORDER) { /* in order, with permissible gap */ + if(delta < RTP_MAX_OUT_OF_ORDER) { /* in order, with permissible gap */ flow->rtp_seqnum[direction] = seq; NDPI_LOG_DBG(ndpi_struct, "rtp_seqnum[%u] = %u (increased by %u)\n", - direction, seq, delta); + direction, seq, delta); return delta; } else { NDPI_LOG_DBG(ndpi_struct, "retransmission (dir %u, seqnum %u)\n", - direction, seq); + direction, seq); return 0; } } @@ -227,51 +229,51 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search rtp\n"); - if (payload_len == 4 && get_u_int32_t(packet->payload, 0) == 0 && flow->packet_counter < 8) { + if(payload_len == 4 && get_u_int32_t(packet->payload, 0) == 0 && flow->packet_counter < 8) { NDPI_LOG_DBG(ndpi_struct, "need next packet, maybe ClearSea out calls\n"); return; } - if (payload_len == 5 && memcmp(payload, "hello", 5) == 0) { + if(payload_len == 5 && memcmp(payload, "hello", 5) == 0) { NDPI_LOG_DBG(ndpi_struct, - "need next packet, initial hello packet of SIP out calls.\n"); + "need next packet, initial hello packet of SIP out calls.\n"); return; } - if (payload_len == 1 && payload[0] == 0) { + if(payload_len == 1 && payload[0] == 0) { NDPI_LOG_DBG(ndpi_struct, - "need next packet, payload_packet_len == 1 && payload[0] == 0.\n"); + "need next packet, payload_packet_len == 1 && payload[0] == 0.\n"); return; } - if (payload_len == 3 && memcmp(payload, "png", 3) == 0) { + if(payload_len == 3 && memcmp(payload, "png", 3) == 0) { /* weird packet found in Ninja GlobalIP trace */ NDPI_LOG_DBG(ndpi_struct, "skipping packet with len = 3 and png payload\n"); return; } - if (payload_len < 12) { + if(payload_len < 12) { NDPI_LOG_DBG(ndpi_struct, "minimal packet size for rtp packets: 12\n"); goto exclude_rtp; } - if (payload_len == 12 && get_u_int32_t(payload, 0) == 0 && get_u_int32_t(payload, 4) == 0 && get_u_int32_t(payload, 8) == 0) { + if(payload_len == 12 && get_u_int32_t(payload, 0) == 0 && get_u_int32_t(payload, 4) == 0 && get_u_int32_t(payload, 8) == 0) { NDPI_LOG_DBG(ndpi_struct, "skipping packet with len = 12 and only 0-bytes\n"); return; } - if ((payload[0] & 0xc0) == 0xc0 || (payload[0] & 0xc0) == 0x40 || (payload[0] & 0xc0) == 0x00) { + if((payload[0] & 0xc0) == 0xc0 || (payload[0] & 0xc0) == 0x40 || (payload[0] & 0xc0) == 0x00) { NDPI_LOG_DBG(ndpi_struct, "version = 3 || 1 || 0, maybe first rtp packet\n"); return; } - if ((payload[0] & 0xc0) != 0x80) { + if((payload[0] & 0xc0) != 0x80) { NDPI_LOG_DBG(ndpi_struct, "rtp version must be 2, first two bits of a packets must be 10\n"); goto exclude_rtp; } /* rtp_payload_type are the last seven bits of the second byte */ - if (flow->rtp_payload_type[packet->packet_direction] != (payload[1] & 0x7F)) { + if(flow->rtp_payload_type[packet->packet_direction] != (payload[1] & 0x7F)) { NDPI_LOG_DBG(ndpi_struct, "payload_type has changed, reset stages\n"); packet->packet_direction == 0 ? (flow->rtp_stage1 = 0) : (flow->rtp_stage2 = 0); } @@ -280,56 +282,56 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, stage = (packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2); - if (stage > 0) { + if(stage > 0) { NDPI_LOG_DBG(ndpi_struct, "stage = %u\n", packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2); - if (flow->rtp_ssid[packet->packet_direction] != get_u_int32_t(payload, 8)) { + if(flow->rtp_ssid[packet->packet_direction] != get_u_int32_t(payload, 8)) { NDPI_LOG_DBG(ndpi_struct, "ssid has changed, goto exclude rtp\n"); goto exclude_rtp; } - if (seqnum == flow->rtp_seqnum[packet->packet_direction]) { + if(seqnum == flow->rtp_seqnum[packet->packet_direction]) { NDPI_LOG_DBG(ndpi_struct, "maybe \"retransmission\", need next packet\n"); return; - } else if ((u_int16_t) (seqnum - flow->rtp_seqnum[packet->packet_direction]) < RTP_MAX_OUT_OF_ORDER) { + } else if((u_int16_t) (seqnum - flow->rtp_seqnum[packet->packet_direction]) < RTP_MAX_OUT_OF_ORDER) { NDPI_LOG_DBG(ndpi_struct, - "new packet has larger sequence number (within valid range)\n"); + "new packet has larger sequence number (within valid range)\n"); update_seq(ndpi_struct, flow, packet->packet_direction, seqnum); - } else if ((u_int16_t) (flow->rtp_seqnum[packet->packet_direction] - seqnum) < RTP_MAX_OUT_OF_ORDER) { + } else if((u_int16_t) (flow->rtp_seqnum[packet->packet_direction] - seqnum) < RTP_MAX_OUT_OF_ORDER) { NDPI_LOG_DBG(ndpi_struct, - "new packet has smaller sequence number (within valid range)\n"); + "new packet has smaller sequence number (within valid range)\n"); init_seq(ndpi_struct, flow, packet->packet_direction, seqnum, 1); } else { NDPI_LOG_DBG(ndpi_struct, - "sequence number diff is too big, goto exclude rtp.\n"); + "sequence number diff is too big, goto exclude rtp.\n"); goto exclude_rtp; } } else { NDPI_LOG_DBG(ndpi_struct, "rtp_ssid[%u] = %u\n", packet->packet_direction, - flow->rtp_ssid[packet->packet_direction]); + flow->rtp_ssid[packet->packet_direction]); flow->rtp_ssid[packet->packet_direction] = get_u_int32_t(payload, 8); - if (flow->packet_counter < 3) { + if(flow->packet_counter < 3) { NDPI_LOG_DBG(ndpi_struct, "packet_counter < 3, need next packet\n"); } init_seq(ndpi_struct, flow, packet->packet_direction, seqnum, 1); } - if (seqnum <= 3) { + if(seqnum <= 3) { NDPI_LOG_DBG(ndpi_struct, "sequence_number = %u, too small, need next packet, return\n", seqnum); return; } - if (stage == 3) { + if(stage == 3) { NDPI_LOG_DBG(ndpi_struct, "add connection I\n"); ndpi_int_rtp_add_connection(ndpi_struct, flow); } else { packet->packet_direction == 0 ? flow->rtp_stage1++ : flow->rtp_stage2++; NDPI_LOG_DBG(ndpi_struct, "stage[%u]++; need next packet\n", - packet->packet_direction); + packet->packet_direction); } return; - exclude_rtp: - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN - || /* packet->real_protocol_read_only == NDPI_PROTOCOL_STUN */) { +exclude_rtp: + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN + || /* packet->real_protocol_read_only == NDPI_PROTOCOL_STUN */) { NDPI_LOG_DBG(ndpi_struct, "STUN: is detected, need next packet\n"); return; } @@ -344,17 +346,17 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; - if (packet->udp) { + if(packet->udp) { ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len); - } else if (packet->tcp) { + } else if(packet->tcp) { /* skip special packets seen at yahoo traces */ - if (packet->payload_packet_len >= 20 && ntohs(get_u_int16_t(packet->payload, 2)) + 20 == packet->payload_packet_len && - packet->payload[0] == 0x90 && packet->payload[1] >= 0x01 && packet->payload[1] <= 0x07) { - if (flow->packet_counter == 2) + if(packet->payload_packet_len >= 20 && ntohs(get_u_int16_t(packet->payload, 2)) + 20 == packet->payload_packet_len && + packet->payload[0] == 0x90 && packet->payload[1] >= 0x01 && packet->payload[1] <= 0x07) { + if(flow->packet_counter == 2) flow->l4.tcp.rtp_special_packets_seen = 1; NDPI_LOG_DBG(ndpi_struct, - "skipping STUN-like, special yahoo packets with payload[0] == 0x90.\n"); + "skipping STUN-like, special yahoo packets with payload[0] == 0x90.\n"); return; } @@ -365,12 +367,12 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd * we can remove this restriction */ - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN - || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_RTP) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN + || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_RTP) { /* RTP may be encapsulated in TCP packets */ - if (packet->payload_packet_len >= 2 && ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) { + if(packet->payload_packet_len >= 2 && ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) { /* TODO there could be several RTP packets in a single TCP packet so maybe the detection could be * improved by checking only the RTP packet of given length */ @@ -381,9 +383,9 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd } } - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && flow->l4.tcp.rtp_special_packets_seen == 1) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && flow->l4.tcp.rtp_special_packets_seen == 1) { - if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) + 4 == packet->payload_packet_len) { + if(packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) + 4 == packet->payload_packet_len) { /* TODO there could be several RTP packets in a single TCP packet so maybe the detection could be * improved by checking only the RTP packet of given length */ @@ -394,7 +396,7 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd } } - if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_STUN)) { + if(NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_STUN)) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } else { NDPI_LOG_DBG(ndpi_struct, "STUN not yet excluded, need next packet\n"); @@ -416,4 +418,3 @@ void init_rtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 1a20078c3..7e5ca5e62 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -2,7 +2,7 @@ * ssh.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ #include "ndpi_protocol_ids.h" @@ -27,12 +27,134 @@ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH #include "ndpi_api.h" +#include "ndpi_md5.h" + +/* + HASSH - https://github.com/salesforce/hassh + + https://github.com/salesforce/hassh/blob/master/python/hassh.py + + [server] + skex = packet.ssh.kex_algorithms + seastc = packet.ssh.encryption_algorithms_server_to_client + smastc = packet.ssh.mac_algorithms_server_to_client + scastc = packet.ssh.compression_algorithms_server_to_client + hasshs_str = ';'.join([skex, seastc, smastc, scastc]) + + [client] + ckex = packet.ssh.kex_algorithms + ceacts = packet.ssh.encryption_algorithms_client_to_server + cmacts = packet.ssh.mac_algorithms_client_to_server + ccacts = packet.ssh.compression_algorithms_client_to_server + hassh_str = ';'.join([ckex, ceacts, cmacts, ccacts]) +*/ + +/* #define SSH_DEBUG 1 */ + +/* ************************************************************************ */ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow){ + *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); } +/* ************************************************************************ */ + +static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, + char *buf, u_int8_t client_hash) { + u_int16_t offset = 22, buf_out_len = 0; + u_int32_t len = ntohl(*(u_int32_t*)&packet->payload[offset]); + + if(len < (packet->payload_packet_len-offset)) { + /* ssh.kex_algorithms [C/S] */ + offset += 4; + strncpy(buf, (const char *)&packet->payload[offset], buf_out_len = len); + buf[buf_out_len++] = ';'; + offset += len; + + /* ssh.server_host_key_algorithms [None] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + offset += 4 + len; + + /* ssh.encryption_algorithms_client_to_server [C] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + + if(client_hash) { + offset += 4; + strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + buf_out_len += len; + buf[buf_out_len++] = ';'; + offset += len; + } else + offset += 4 + len; + + /* ssh.encryption_algorithms_server_to_client [S] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + if(!client_hash) { + offset += 4; + strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + buf_out_len += len; + buf[buf_out_len++] = ';'; + offset += len; + } else + offset += 4 + len; + + /* ssh.mac_algorithms_client_to_server [C] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + if(client_hash) { + offset += 4; + strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + buf_out_len += len; + buf[buf_out_len++] = ';'; + offset += len; + } else + offset += 4 + len; + + /* ssh.mac_algorithms_server_to_client [S] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + if(!client_hash) { + offset += 4; + strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + buf_out_len += len; + buf[buf_out_len++] = ';'; + offset += len; + } else + offset += 4 + len; + + /* ssh.compression_algorithms_client_to_server [C] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + if(client_hash) { + offset += 4; + strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + buf_out_len += len; + offset += len; + } else + offset += 4 + len; + + /* ssh.compression_algorithms_server_to_client [S] */ + len = ntohl(*(u_int32_t*)&packet->payload[offset]); + if(!client_hash) { + offset += 4; + strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + buf_out_len += len; + offset += len; + } else + offset += 4 + len; + + /* ssh.languages_client_to_server [None] */ + + /* ssh.languages_server_to_client [None] */ + } + +#ifdef SSH_DEBUG + printf("\n[SSH] %s\n", buf); +#endif + + return(buf_out_len); +} + +/* ************************************************************************ */ + static void ndpi_ssh_zap_cr(char *str, int len) { len--; @@ -45,46 +167,132 @@ static void ndpi_ssh_zap_cr(char *str, int len) { } } -void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; +/* ************************************************************************ */ + +void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + +#ifdef SSH_DEBUG + printf("\n[SSH] [stage: %u]\n", flow->l4.tcp.ssh_stage); +#endif - if (flow->l4.tcp.ssh_stage == 0) { - if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 + if(flow->l4.tcp.ssh_stage == 0) { + if(packet->payload_packet_len > 7 && packet->payload_packet_len < 100 && memcmp(packet->payload, "SSH-", 4) == 0) { if(!ndpi_struct->disable_metadata_export) { - int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); + int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); + strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); + +#ifdef SSH_DEBUG + printf("\n[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); +#endif } - + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; return; } - } else if (flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { - if (packet->payload_packet_len > 7 && packet->payload_packet_len < 500 + } else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { + if(packet->payload_packet_len > 7 && packet->payload_packet_len < 500 && memcmp(packet->payload, "SSH-", 4) == 0) { if(!ndpi_struct->disable_metadata_export) { int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len); + strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); + +#ifdef SSH_DEBUG + printf("\n[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); +#endif + + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); + flow->l4.tcp.ssh_stage++;; + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + } else { + NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); + ndpi_int_ssh_add_connection(ndpi_struct, flow); } - - NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); - - ndpi_int_ssh_add_connection(ndpi_struct, flow); + +#ifdef SSH_DEBUG + printf("\n[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); +#endif + return; + } + } else { + u_int8_t msgcode = *(packet->payload + 5); + ndpi_MD5_CTX ctx; + +#ifdef SSH_DEBUG + printf("\n[SSH] [stage: %u][msg: %u]\n", flow->l4.tcp.ssh_stage, msgcode); +#endif + if(msgcode == 20 /* key exchange init */) { + char *hassh_buf = calloc(packet->payload_packet_len, sizeof(char)); + u_int i, len; + + if(hassh_buf) { + if(flow->l4.tcp.ssh_stage == 3) { + u_char fingerprint_client[16]; + + len = concat_hash_string(packet, hassh_buf, 1 /* client */); + + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); + ndpi_MD5Final(fingerprint_client, &ctx); + +#ifdef SSH_DEBUG + { + printf("\n[SSH] [client][%s][", hassh_buf); + for(i=0; i<16; i++) printf("%02X", fingerprint_client[i]); + printf("]\n"); + } +#endif + for(i=0; i<16; i++) sprintf(&flow->protos.ssh.hassh_client[i*2], "%02X", fingerprint_client[i] & 0xFF); + flow->protos.ssh.hassh_client[32] = '\0'; + } else { + u_char fingerprint_server[16]; + + len = concat_hash_string(packet, hassh_buf, 0 /* server */); + + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); + ndpi_MD5Final(fingerprint_server, &ctx); + +#ifdef SSH_DEBUG + { + printf("\n[SSH] [server][%s][", hassh_buf); + for(i=0; i<16; i++) printf("%02X", fingerprint_server[i]); + printf("]\n"); + } +#endif + + for(i=0; i<16; i++) sprintf(&flow->protos.ssh.hassh_server[i*2], "%02X", fingerprint_server[i] & 0xFF); + flow->protos.ssh.hassh_server[32] = '\0'; + } + + free(hassh_buf); + } } + + if(flow->l4.tcp.ssh_stage++ == 4) { + NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); + ndpi_int_ssh_add_connection(ndpi_struct, flow); + } + + return; } NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSH); } +/* ************************************************************************ */ void init_ssh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 202b3d939..8334c667a 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -30,7 +30,9 @@ #define MAX_NUM_STUN_PKTS 8 -// #define DEBUG_STUN 1 +/* #define DEBUG_STUN 1 */ + +/* #define DEBUG_LRU 1 */ struct stun_packet_header { u_int16_t msg_type, msg_len; @@ -38,9 +40,43 @@ struct stun_packet_header { u_int8_t transaction_id[8]; }; +/* ************************************************************ */ + +u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow) { + return(flow->packet.iph->saddr + flow->packet.udp->source); +} + +/* ************************************************************ */ + static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - u_int proto, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_UNKNOWN); + struct ndpi_flow_struct *flow, + u_int app_proto, u_int proto) { + if(ndpi_struct->stun_cache == NULL) + ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); + + if(ndpi_struct->stun_cache + && flow->packet.iph + && flow->packet.udp + && (app_proto != NDPI_PROTOCOL_UNKNOWN) + ) /* Cache flow sender info */ { + u_int32_t key = get_stun_lru_key(flow); + u_int16_t cached_proto; + + if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { +#ifdef DEBUG_LRU + printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key, cached_proto, proto, app_proto); +#endif + app_proto = cached_proto, proto = NDPI_PROTOCOL_STUN; + } else { +#ifdef DEBUG_LRU + printf("[LRU] ADDING %u / %u.%u\n", key, proto, app_proto); +#endif + + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto); + } + } + + ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, proto); } typedef enum { @@ -48,6 +84,7 @@ typedef enum { NDPI_IS_NOT_STUN } ndpi_int_stun_t; +/* ************************************************************ */ static int is_google_ip_address(u_int32_t host) { if( @@ -59,6 +96,29 @@ static int is_google_ip_address(u_int32_t host) { return(0); } +/* ************************************************************ */ + +/* + WhatsApp + 31.13.86.48 + 31.13.92.50 + 157.240.20.51 + 157.240.21.51 + 185.60.216.51 + + Messenger + 31.13.86.5 +*/ + +static int is_messenger_ip_address(u_int32_t host) { + if(host == 0x1F0D5605 /* 31.13.86.5 */) + return(1); + else + return(0); +} + +/* ************************************************************ */ + static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t * payload, @@ -77,7 +137,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * *is_whatsapp = 0, *is_messenger = 0, *is_duo = 0; if(payload_length < sizeof(struct stun_packet_header)) { - /* This looks like an invlid packet */ + /* This looks like an invalid packet */ if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { *is_whatsapp = 1; @@ -98,18 +158,47 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(msg_type > 0x000C) return(NDPI_IS_NOT_STUN); + if(ndpi_struct->stun_cache) { + u_int16_t proto; + u_int32_t key = get_stun_lru_key(flow); + + if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */)) { +#ifdef DEBUG_LRU + printf("[LRU] FOUND %u / %u\n", key, proto); +#endif + + flow->guessed_host_protocol_id = proto, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + return(NDPI_IS_STUN); + } else { +#ifdef DEBUG_LRU + printf("[LRU] NOT FOUND %u\n", key); +#endif + } + } else { +#ifdef DEBUG_LRU + printf("[LRU] NO/EMPTY CACHE\n"); +#endif + } + if(msg_type == 0x01 /* Binding Request */) { flow->protos.stun_ssl.stun.num_binding_requests++; - if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) { + + if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; - } + else + flow->guessed_host_protocol_id = NDPI_PROTOCOL_STUN; + + flow->protos.stun_ssl.stun.num_udp_pkts++; + + if(msg_len == 0) + return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */ } if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return(NDPI_IS_NOT_STUN); } - + flow->protos.stun_ssl.stun.num_udp_pkts++; /* @@ -131,9 +220,20 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if((payload[0] != 0x80) && ((msg_len+20) > payload_length)) return(NDPI_IS_NOT_STUN); - else - flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - + else { + switch(flow->guessed_protocol_id) { + case NDPI_PROTOCOL_HANGOUT_DUO: + case NDPI_PROTOCOL_MESSENGER: + case NDPI_PROTOCOL_WHATSAPP_VOICE: + /* Don't overwrite the protocol with sub-STUN protocols */ + break; + + default: + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + break; + } + } + if(payload_length == (msg_len+20)) { if(msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { u_int offset = 20; @@ -157,6 +257,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(x != 0) len += 4-x; +#ifdef DEBUG_STUN + printf("==> Attribute: %04X\n", attribute); +#endif + switch(attribute) { case 0x0008: /* Message Integrity */ case 0x0020: /* XOR-MAPPED-ADDRESSES */ @@ -166,6 +270,28 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * /* These are the only messages apparently whatsapp voice can use */ break; + case 0x0014: /* Realm */ + { + u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2])); + + if(flow->host_server_name[0] == '\0') { + u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len; + u_int k = offset+4; + + memset(flow->host_server_name, 0, sizeof(flow->host_server_name)); + + for(j=0; j<i; j++) + flow->host_server_name[j] = payload[k++]; + + if(strstr((char*)flow->host_server_name, "google.com") != NULL) { + *is_duo = 1; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + return(NDPI_IS_STUN); + } + } + } + break; + case 0xC057: /* Messeger */ if(msg_type == 0x0001) { if((msg_len == 100) || (msg_len == 104)) { @@ -173,7 +299,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return(NDPI_IS_STUN); } else if(msg_len == 76) { *is_duo = 1; - return(NDPI_IS_STUN); + + if(1) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */ + } else + return(NDPI_IS_STUN); } } break; @@ -185,6 +316,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+6] == 0x00) && (payload[offset+7] == 0x00)) { /* Either skype for business or "normal" skype with multiparty call */ +#ifdef DEBUG_STUN + printf("==> Skype found\n"); +#endif flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); } @@ -201,6 +335,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0x0800: /* printf("====>>>> %04X\n", attribute); */ flow->protos.stun_ssl.stun.is_skype = 1; +#ifdef DEBUG_STUN + printf("==> Skype (2) found\n"); +#endif + return(NDPI_IS_STUN); break; @@ -213,6 +351,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03)) ) { flow->protos.stun_ssl.stun.is_skype = 1; +#ifdef DEBUG_STUN + printf("==> Skype (3) found\n"); +#endif + return(NDPI_IS_STUN); } break; @@ -221,7 +363,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * can_this_be_whatsapp_voice = 0; flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; break; - + default: /* This means this STUN packet cannot be confused with whatsapp voice */ #ifdef DEBUG_STUN @@ -249,15 +391,16 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * udp_stun_found: if(can_this_be_whatsapp_voice) { struct ndpi_packet_struct *packet = &flow->packet; - + flow->protos.stun_ssl.stun.num_processed_pkts++; #ifdef DEBUG_STUN printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n"); #endif - if((ntohs(packet->udp->source) == 3478) || (ntohs(packet->udp->dest) == 3478)) - flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_VOICE; - else + if((ntohs(packet->udp->source) == 3478) || (ntohs(packet->udp->dest) == 3478)) { + flow->guessed_host_protocol_id = (is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr))) ? + NDPI_PROTOCOL_MESSENGER : NDPI_PROTOCOL_WHATSAPP_VOICE; + } else flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr))) ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE; return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); @@ -295,23 +438,24 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, packet->payload_packet_len - 2, &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { - if(flow->guessed_protocol_id == 0) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; if(is_messenger) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); return; } else if(is_duo) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); return; } else if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ - ndpi_int_stun_add_connection(ndpi_struct, - is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) : NDPI_PROTOCOL_STUN, flow); + ndpi_int_stun_add_connection(ndpi_struct, flow, + is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) : NDPI_PROTOCOL_STUN, + NDPI_PROTOCOL_UNKNOWN); } return; @@ -323,26 +467,25 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, packet->payload_packet_len, &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { - if(flow->guessed_protocol_id == 0) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; if(is_messenger) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); return; } else if(is_duo) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); return; } else if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */ if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); - ndpi_int_stun_add_connection(ndpi_struct, + ndpi_int_stun_add_connection(ndpi_struct, flow, is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) - : NDPI_PROTOCOL_STUN, - flow); + : NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN); } return; diff --git a/src/lib/protocols/teamspeak.c b/src/lib/protocols/teamspeak.c index 214a2fe99..170be1d7f 100644 --- a/src/lib/protocols/teamspeak.c +++ b/src/lib/protocols/teamspeak.c @@ -35,32 +35,43 @@ void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, str struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search teamspeak\n"); + - if (packet->udp != NULL) { +#ifdef WEAK_DETECTION_CODE_DISABLED + if(packet->udp != NULL) { u_int16_t udport, usport; + usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); + /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ - if (((usport == 9987 || udport == 9987) || (usport == 8767 || udport == 8767)) && packet->payload_packet_len >= 20) { + if(((usport == 9987 || udport == 9987) || (usport == 8767 || udport == 8767)) && packet->payload_packet_len >= 20) { NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK udp\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); } } - else if (packet->tcp != NULL) { - u_int16_t tdport, tsport; - tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); - /* https://github.com/Youx/soliloque-server/wiki/Connection-packet */ - if(packet->payload_packet_len >= 20) { - if (((memcmp(packet->payload, "\xf4\xbe\x03\x00", 4) == 0)) || - ((memcmp(packet->payload, "\xf4\xbe\x02\x00", 4) == 0)) || + else +#endif + + if(packet->tcp != NULL) { + u_int16_t tdport, tsport; + tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); + /* https://github.com/Youx/soliloque-server/wiki/Connection-packet */ + if(packet->payload_packet_len >= 20) { + if(((memcmp(packet->payload, "\xf4\xbe\x03\x00", 4) == 0)) || + ((memcmp(packet->payload, "\xf4\xbe\x02\x00", 4) == 0)) || ((memcmp(packet->payload, "\xf4\xbe\x01\x00", 4) == 0))) { - NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK tcp\n"); - ndpi_int_teamspeak_add_connection(ndpi_struct, flow); - } /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ - } else if ((tsport == 14534 || tdport == 14534) || (tsport == 51234 || tdport == 51234)) { - NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK\n"); - ndpi_int_teamspeak_add_connection(ndpi_struct, flow); - } - } + NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK tcp\n"); + ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + } /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ + } +#if WEAK_DETECTION_CODE_DISABLED + else if((tsport == 14534 || tdport == 14534) || (tsport == 51234 || tdport == 51234)) { + NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK\n"); + ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + } +#endif + } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/tls.c index 18e8ca469..d9b7b0962 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/tls.c @@ -1,7 +1,7 @@ /* - * ssl.c + * tls.c - SSL/TLS/DTLS dissector * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,13 +23,14 @@ #include "ndpi_protocol_ids.h" -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSL +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TLS #include "ndpi_api.h" +#include "ndpi_md5.h" -/* #define CERTIFICATE_DEBUG 1 */ +// #define DEBUG_TLS 1 -#define NDPI_MAX_SSL_REQUEST_SIZE 10000 +#define NDPI_MAX_TLS_REQUEST_SIZE 10000 /* Skype.c */ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, @@ -37,220 +38,23 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ -typedef struct MD5Context { - uint32_t buf[4]; - uint32_t bits[2]; - unsigned char in[64]; -} MD5_CTX; - -/* **************************************** */ - -static int is_big_endian(void) { - static const int n = 1; - return ((char *) &n)[0] == 0; -} - -static void byteReverse(unsigned char *buf, unsigned longs) { - uint32_t t; - - // Forrest: MD5 expect LITTLE_ENDIAN, swap if BIG_ENDIAN - if (is_big_endian()) { - do { - t = (uint32_t) ((unsigned) buf[3] << 8 | buf[2]) << 16 | - ((unsigned) buf[1] << 8 | buf[0]); - * (uint32_t *) buf = t; - buf += 4; - } while (--longs); - } -} - -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) - -#define MD5STEP(f, w, x, y, z, data, s) \ - ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) - -// Start MD5 accumulation. Set bit count to 0 and buffer to mysterious -// initialization constants. -static void MD5Init(MD5_CTX *ctx) { - ctx->buf[0] = 0x67452301; - ctx->buf[1] = 0xefcdab89; - ctx->buf[2] = 0x98badcfe; - ctx->buf[3] = 0x10325476; - - ctx->bits[0] = 0; - ctx->bits[1] = 0; -} - -static void MD5Transform(uint32_t buf[4], uint32_t const in[16]) { - uint32_t a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -static void MD5Update(MD5_CTX *ctx, unsigned char const *buf, unsigned len) { - uint32_t t; - - t = ctx->bits[0]; - if ((ctx->bits[0] = t + ((uint32_t) len << 3)) < t) - ctx->bits[1]++; - ctx->bits[1] += len >> 29; - - t = (t >> 3) & 0x3f; - - if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; - - t = 64 - t; - if (len < t) { - memcpy(p, buf, len); - return; - } - memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32_t *) ctx->in); - buf += t; - len -= t; - } - - while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32_t *) ctx->in); - buf += 64; - len -= 64; - } - - memcpy(ctx->in, buf, len); -} - -static void MD5Final(unsigned char digest[16], MD5_CTX *ctx) { - unsigned count; - unsigned char *p; - uint32_t *c = (uint32_t*)ctx->in; - - count = (ctx->bits[0] >> 3) & 0x3F; - - p = ctx->in + count; - *p++ = 0x80; - count = 64 - 1 - count; - if (count < 8) { - memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32_t *) ctx->in); - memset(ctx->in, 0, 56); - } else { - memset(p, 0, count - 8); - } - byteReverse(ctx->in, 14); - - c[14] = ctx->bits[0]; - c[15] = ctx->bits[1]; - - MD5Transform(ctx->buf, (uint32_t *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset((char *) ctx, 0, sizeof(*ctx)); -} - -/* **************************************** */ - -static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) -{ +static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol) { struct ndpi_packet_struct *packet = &flow->packet; if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_client[0] != '\0')) || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0')) // || (flow->host_server_name[0] != '\0') ) - protocol = NDPI_PROTOCOL_SSL; + protocol = NDPI_PROTOCOL_TLS; else - protocol = NDPI_PROTOCOL_SSL_NO_CERT; + protocol = NDPI_PROTOCOL_TLS_NO_CERT; if(packet->tcp != NULL) { switch(protocol) { - case NDPI_PROTOCOL_SSL: - case NDPI_PROTOCOL_SSL_NO_CERT: + case NDPI_PROTOCOL_TLS: + case NDPI_PROTOCOL_TLS_NO_CERT: { /* In case of SSL there are probably sub-protocols @@ -273,18 +77,21 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st return protocol; } -static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) -{ - if((protocol != NDPI_PROTOCOL_SSL) - && (protocol != NDPI_PROTOCOL_SSL_NO_CERT)) { +/* **************************************** */ + +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol) { + if((protocol != NDPI_PROTOCOL_TLS) + && (protocol != NDPI_PROTOCOL_TLS_NO_CERT)) { ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } else { - protocol = ndpi_ssl_refine_master_protocol(ndpi_struct, flow, protocol); + protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } } +/* **************************************** */ + /* Can't call libc functions from kernel space, define some stub instead */ #define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) @@ -296,8 +103,9 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp ((ch) >= '[' && (ch) <= '`') || \ ((ch) >= '{' && (ch) <= '~')) -static void stripCertificateTrailer(char *buffer, int buffer_len) { +/* **************************************** */ +static void stripCertificateTrailer(char *buffer, int buffer_len) { int i, is_puny; // printf("->%s<-\n", buffer); @@ -346,42 +154,53 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { buffer[i] = tolower(buffer[i]); } +/* **************************************** */ + /* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ #define JA3_STR_LEN 1024 #define MAX_NUM_JA3 128 struct ja3_info { - u_int16_t ssl_version; + u_int16_t tls_version; u_int16_t num_cipher, cipher[MAX_NUM_JA3]; - u_int16_t num_ssl_extension, ssl_extension[MAX_NUM_JA3]; + u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; }; /* **************************************** */ -/* code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */ -int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, +int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *buffer, int buffer_len) { struct ndpi_packet_struct *packet = &flow->packet; struct ja3_info ja3; + int i; u_int8_t invalid_ja3 = 0; - u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len; + u_int16_t pkt_tls_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len; char ja3_str[JA3_STR_LEN]; - MD5_CTX ctx; + ndpi_MD5_CTX ctx; u_char md5_hash[16]; - flow->protos.stun_ssl.ssl.ssl_version = ssl_version; + if(packet->udp) { + /* Check if this is DTLS or return */ + if((packet->payload[1] != 0xfe) + || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd))) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return(0); + } + } + + flow->protos.stun_ssl.ssl.ssl_version = pkt_tls_version; memset(&ja3, 0, sizeof(ja3)); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS { - u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; + u_int16_t tls_len = (packet->payload[3] << 8) + packet->payload[4]; - printf("SSL Record [version: %u][len: %u]\n", ssl_version, ssl_len); + printf("SSL Record [version: 0x%04X][len: %u]\n", pkt_tls_version, tls_len); } #endif @@ -390,9 +209,21 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, Patches courtesy of Denys Fedoryshchenko <nuclearcat@nuclearcat.com> */ if(packet->payload[0] == 0x16 /* Handshake */) { - u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */; - u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ + u_int16_t total_len; + u_int8_t handshake_protocol, header_len; + + if(packet->tcp) { + header_len = 5; /* SSL Header */ + handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ + total_len = (packet->payload[3] << 8) + packet->payload[4]; + } else { + header_len = 13; /* DTLS header */ + handshake_protocol = packet->payload[13]; + total_len = ntohs(*((u_int16_t*)&packet->payload[11])); + } + total_len += header_len; + memset(buffer, 0, buffer_len); /* Truncate total len, search at least in incomplete packet */ @@ -401,48 +232,58 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ if(total_len > 4) { - int i; - -#ifdef CERTIFICATE_DEBUG + u_int16_t base_offset = packet->tcp ? 43 : 59; + +#ifdef DEBUG_TLS printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol); #endif - + if((handshake_protocol == 0x02) - || (handshake_protocol == 0xb) /* Server Hello and Certificate message types are interesting for us */) { + || (handshake_protocol == 0x0b) /* Server Hello and Certificate message types are interesting for us */) { u_int num_found = 0; - u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9])); + u_int16_t tls_version; + int i; - ja3.ssl_version = ssl_version; + if(packet->tcp) + tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); + else + tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); + + ja3.tls_version = tls_version; if(handshake_protocol == 0x02) { - u_int16_t offset = 43, extension_len, j; - u_int8_t session_id_len = packet->payload[43]; + u_int16_t offset = base_offset, extension_len, j; + u_int8_t session_id_len = packet->payload[offset]; -#ifdef CERTIFICATE_DEBUG - printf("SSL Server Hello [version: 0x%04X]\n", ssl_version); +#ifdef DEBUG_TLS + printf("SSL Server Hello [version: 0x%04X]\n", tls_version); #endif /* The server hello decides about the SSL version of this flow https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 */ - flow->protos.stun_ssl.ssl.ssl_version = ssl_version; - - if(ssl_version < 0x7F15 /* TLS 1.3 lacks of session id */) - offset += session_id_len+1; + flow->protos.stun_ssl.ssl.ssl_version = tls_version; + if(packet->udp) + offset += 1; + else { + if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) + offset += session_id_len+1; + } + ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("SSL [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); #endif offset += 2 + 1; extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("SSL [server][extension_len: %u]\n", extension_len); #endif offset += 2; @@ -455,17 +296,17 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, id = ntohs(*((u_int16_t*)&packet->payload[offset])); len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); - if(ja3.num_ssl_extension < MAX_NUM_JA3) - ja3.ssl_extension[ja3.num_ssl_extension++] = id; + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = id; -#ifdef CERTIFICATE_DEBUG - printf("SSL [server][extension_id: %u]\n", id); +#ifdef DEBUG_TLS + printf("SSL [server][extension_id: %u/0x%04X]\n", id, id); #endif i += 4 + len, offset += 4 + len; } - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version); + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_version); for(i=0; i<ja3.num_cipher; i++) ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); @@ -474,26 +315,26 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, /* ********** */ - for(i=0; i<ja3.num_ssl_extension; i++) - ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.ssl_extension[i]); + for(i=0; i<ja3.num_tls_extension; i++) + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("SSL [server] %s\n", ja3_str); #endif -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("[JA3] Server: %s \n", ja3_str); #endif - MD5Init(&ctx); - MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - MD5Final(md5_hash, &ctx); + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); for(i=0, j=0; i<16; i++) j += snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); #endif @@ -554,28 +395,46 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } } } else if(handshake_protocol == 0x01 /* Client Hello */) { - u_int offset, base_offset = 43; + u_int offset; - if(base_offset + 2 <= packet->payload_packet_len) { - u_int16_t session_id_len = packet->payload[base_offset]; - u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9])); +#ifdef DEBUG_TLS + printf("[base_offset: %u][payload_packet_len: %u]\n", base_offset, packet->payload_packet_len); +#endif - ja3.ssl_version = ssl_version; + if(base_offset + 2 <= packet->payload_packet_len) { + u_int16_t session_id_len; + u_int16_t tls_version; + if(packet->tcp) + tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); + else + tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); + + session_id_len = packet->payload[base_offset]; + + ja3.tls_version = tls_version; + if((session_id_len+base_offset+2) <= total_len) { - u_int16_t cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); - u_int16_t i, cipher_offset = base_offset + session_id_len + 3; + u_int16_t cipher_len, cipher_offset; -#ifdef CERTIFICATE_DEBUG - printf("Client SSL [client cipher_len: %u]\n", cipher_len); + if(packet->tcp) { + cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); + cipher_offset = base_offset + session_id_len + 3; + } else { + cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); + cipher_offset = base_offset+4; + } + +#ifdef DEBUG_TLS + printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); #endif if((cipher_offset+cipher_len) <= total_len) { for(i=0; i<cipher_len;) { u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; -#ifdef CERTIFICATE_DEBUG - printf("Client SSL [cipher suite: %u] [%u/%u]\n", ntohs(*id), i, cipher_len); +#ifdef DEBUG_TLS + printf("Client SSL [cipher suite: %u/0x%04X] [%u/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); #endif if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { /* @@ -587,7 +446,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, ja3.cipher[ja3.num_cipher++] = ntohs(*id); else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); #endif } @@ -597,7 +456,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } } else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); #endif } @@ -610,11 +469,11 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t compression_len; u_int16_t extensions_len; - offset++; + offset += packet->tcp ? 1 : 2; compression_len = packet->payload[offset]; offset++; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL [compression_len: %u]\n", compression_len); #endif @@ -625,7 +484,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); offset += 2; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL [extensions_len: %u]\n", extensions_len); #endif @@ -644,19 +503,19 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); extension_offset += 2; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); #endif if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { /* Skip GREASE */ - if(ja3.num_ssl_extension < MAX_NUM_JA3) - ja3.ssl_extension[ja3.num_ssl_extension++] = extension_id; + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG - printf("Client SSL Invalid extensions %u\n", ja3.num_ssl_extension); +#ifdef DEBUG_TLS + printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); #endif } } @@ -676,9 +535,9 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); } } else if(extension_id == 10 /* supported groups */) { - u_int16_t i, s_offset = offset+extension_offset + 2; - -#ifdef CERTIFICATE_DEBUG + u_int16_t s_offset = offset+extension_offset + 2; + +#ifdef DEBUG_TLS printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); #endif @@ -686,8 +545,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; i<extension_len-2;) { u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); -#ifdef CERTIFICATE_DEBUG - printf("Client SSL [EllipticCurve: %u]\n", s_group); +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { /* Skip GREASE */ @@ -695,7 +554,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); #endif } @@ -705,21 +564,21 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } } else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); #endif } } else if(extension_id == 11 /* ec_point_formats groups */) { - u_int16_t i, s_offset = offset+extension_offset + 1; - -#ifdef CERTIFICATE_DEBUG + u_int16_t s_offset = offset+extension_offset + 1; + +#ifdef DEBUG_TLS printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); #endif if((s_offset+extension_len) < total_len) { for(i=0; i<extension_len-1;i++) { u_int8_t s_group = packet->payload[s_offset+i]; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); #endif @@ -727,14 +586,14 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); #endif } } } else { invalid_ja3 = 1; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); #endif } @@ -742,13 +601,13 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, extension_offset += extension_len; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); #endif } /* while */ if(!invalid_ja3) { - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version); + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_version); for(i=0; i<ja3.num_cipher; i++) { ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", @@ -759,9 +618,9 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, /* ********** */ - for(i=0; i<ja3.num_ssl_extension; i++) + for(i=0; i<ja3.num_tls_extension; i++) ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.ssl_extension[i]); + (i > 0) ? "-" : "", ja3.tls_extension[i]); ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); @@ -777,19 +636,20 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("[JA3] Client: %s \n", ja3_str); #endif - - MD5Init(&ctx); - MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - MD5Final(md5_hash, &ctx); + + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); for(i=0, j=0; i<16; i++) j += snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", md5_hash[i]); + sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", + md5_hash[i]); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); #endif } @@ -807,6 +667,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, return(0); /* Not found */ } +/* **************************************** */ + void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *buffer, int buffer_len) { @@ -862,7 +724,7 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, if(is_printable == 1) { snprintf(flow->protos.stun_ssl.ssl.server_organization, sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); #endif } @@ -870,20 +732,24 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, } } +/* **************************************** */ -int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; /* consider only specific SSL packets (handshake) */ if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { char certificate[64]; - char organization[64]; int rc; certificate[0] = '\0'; - rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); + rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); packet->ssl_certificate_num_checks++; + if(rc > 0) { + char organization[64]; + // try fetch server organization once server certificate is found organization[0] = '\0'; getSSLorganization(ndpi_struct, flow, organization, sizeof(organization)); @@ -893,20 +759,25 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi /* 0 means we're done processing extra packets (since we found what we wanted) */ return 0; } + /* Client hello, Server Hello, and certificate packets probably all checked in this case */ - if((packet->ssl_certificate_num_checks >= 3) + if(((packet->ssl_certificate_num_checks >= 3) && (flow->l4.tcp.seen_syn) && (flow->l4.tcp.seen_syn_ack) && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */) - { - /* We're done processing extra packets since we've probably checked all possible cert packets */ + || (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') + ) { + /* We're done processing extra packets since we've probably checked all possible cert packets */ return 0; } } + /* 1 means keep looking for more packets */ return 1; } +/* **************************************** */ + void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) { flow->check_extra_packets = 1; /* 0 is the case for waiting for the server certificate */ @@ -917,30 +788,33 @@ void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) { } } -int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +/* **************************************** */ + +int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16 /* consider only specific SSL packets (handshake) */)) { if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL)) { + || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)) { char certificate[64]; int rc; certificate[0] = '\0'; - rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); + rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); packet->ssl_certificate_num_checks++; if(rc > 0) { packet->ssl_certificate_detected++; -#ifdef CERTIFICATE_DEBUG +#ifdef DEBUG_TLS NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); #endif ndpi_protocol_match_result ret_match; u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, strlen(certificate), &ret_match, - NDPI_PROTOCOL_SSL); + NDPI_PROTOCOL_TLS); if(subproto != NDPI_PROTOCOL_UNKNOWN) { /* If we've detected the subprotocol from client certificate but haven't had a chance @@ -952,11 +826,11 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s } ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); + ndpi_tls_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS)); return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ } - if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) + if(ndpi_is_tls_tor(ndpi_struct, flow, certificate) != 0) return(rc); } @@ -969,29 +843,30 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) /* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */ ) { - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); } } } return(0); } -static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ +/* **************************************** */ + +static void tls_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int32_t a; u_int32_t end; if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) - goto check_for_ssl_payload; + goto check_for_tls_payload; if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) - goto check_for_ssl_payload; + goto check_for_tls_payload; else - goto no_check_for_ssl_payload; + goto no_check_for_tls_payload; - check_for_ssl_payload: + check_for_tls_payload: end = packet->payload_packet_len - 20; for (a = 5; a < end; a++) { @@ -1000,7 +875,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detectio if(NDPI_COMPARE_PROTOCOL_TO_BITMASK (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) { NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n"); - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); return; } } @@ -1027,7 +902,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detectio flow->dst->oscar_last_safe_access_time = packet->tick_timestamp; } - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); return; } } @@ -1037,31 +912,32 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detectio (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); return; } } } - no_check_for_ssl_payload: + no_check_for_tls_payload: if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); - sslDetectProtocolFromCertificate(ndpi_struct, flow); + tlsDetectProtocolFromCertificate(ndpi_struct, flow); if(!packet->ssl_certificate_detected && (!(flow->l4.tcp.ssl_seen_client_cert && flow->l4.tcp.ssl_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n"); - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT); + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS_NO_CERT); } else if(packet->ssl_certificate_num_checks >= 3) { NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); } } } +/* **************************************** */ -static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct *ndpi_struct, +static u_int8_t ndpi_search_tlsv3_direction1(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -1126,7 +1002,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct if(packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16) && packet->payload[temp + 1] == 0x03) { u_int32_t temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { + if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { return 1; } temp += temp2; @@ -1137,7 +1013,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct if(packet->payload_packet_len >= temp + 5 && packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { + if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { return 1; } temp += temp2; @@ -1148,7 +1024,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct if(packet->payload_packet_len >= temp + 5 && packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { + if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { return 1; } temp += temp2; @@ -1164,20 +1040,51 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 0; } -void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +/* **************************************** */ + +void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int8_t ret; - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + if(packet->udp != NULL) { + /* DTLS dissector */ +#ifdef DEBUG_TLS + int rc = /* sslTryAndRetrieveServerCertificate(...) */ +#endif + sslTryAndRetrieveServerCertificate(ndpi_struct, flow); + +#ifdef DEBUG_TLS + printf("==>> %u [rc: %u][len: %u][%s][version: %u]\n", + flow->guessed_host_protocol_id, rc, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ja3_server, + flow->protos.stun_ssl.ssl.ssl_version); +#endif + + if(flow->protos.stun_ssl.ssl.ssl_version != 0) { + flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; + + if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { + /* In Signal protocol STUN turns into DTLS... */ + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL); + } else if(flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') { + /* Wait the server certificate the bless this flow as TLS */ + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + } + } + + return; + } + + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { if(flow->l4.tcp.ssl_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) { /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets * so go on checking for certificate patterns for a couple more packets */ NDPI_LOG_DBG2(ndpi_struct, "ssl flow but check another packet for patterns\n"); - ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); + + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { /* still ssl so check another packet */ return; } else { @@ -1185,11 +1092,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } } + return; } NDPI_LOG_DBG(ndpi_struct, "search ssl\n"); - + /* Check if this is whatsapp first (this proto runs over port 443) */ if((packet->payload_packet_len > 5) && ((packet->payload[0] == 'W') @@ -1206,10 +1114,10 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } else { /* No whatsapp, let's try SSL */ - if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0) + if(tlsDetectProtocolFromCertificate(ndpi_struct, flow) > 0) return; - } - + } + if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); // SSLv2 Record @@ -1234,14 +1142,14 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03 && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) { - if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) { - NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n"); - flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; - return; - } + if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) { + NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n"); + flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; + return; + } } } - + if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 1 + packet->packet_direction && flow->packet_direction_counter[packet->packet_direction] < 5) { @@ -1255,20 +1163,20 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - 2) >= packet->payload[1]) { NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n"); - ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); + tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; } - ret = ndpi_search_sslv3_direction1(ndpi_struct, flow); + ret = ndpi_search_tlsv3_direction1(ndpi_struct, flow); if(ret == 1) { NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n"); - ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); + tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; } else if(ret == 2) { NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); - ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { flow->l4.tcp.ssl_stage = 3; } return; @@ -1281,16 +1189,18 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } +/* **************************************** */ -void init_ssl_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("SSL", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_SSL, - ndpi_search_ssl_tcp, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, +void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("TLS", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_TLS, + ndpi_search_tls_tcp_udp, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index f1c6f586a..3b2dd06c4 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -18,12 +18,12 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct } -int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, +int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate) { int prev_num = 0, numbers_found = 0, num_found = 0, i, len, num_impossible = 0; char dummy[48], *dot, *name; - - if(certificate == NULL) + + if((certificate == NULL) || (certificate[0] == '\0')) return(0); else len = strlen(certificate); @@ -96,11 +96,13 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t dport = 0, sport = 0; NDPI_LOG_DBG(ndpi_struct, "search for TOR\n"); - if(packet->tcp != NULL) { + if((packet->tcp != NULL) + && (!packet->ssl_certificate_detected)) { + u_int16_t dport, sport; + sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); NDPI_LOG_DBG2(ndpi_struct, "calculating TOR over tcp\n"); diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index 3be953939..972466dc8 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -367,7 +367,7 @@ void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP - || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { /* search over TCP */ ndpi_search_yahoo_tcp(ndpi_struct, flow); } diff --git a/src/lib/third_party/include/ndpi_md5.h b/src/lib/third_party/include/ndpi_md5.h new file mode 100644 index 000000000..f7dd9b946 --- /dev/null +++ b/src/lib/third_party/include/ndpi_md5.h @@ -0,0 +1,18 @@ +/* + Contributed code pasted here to make nDPI self-contained with no + external dependencies +*/ + +/* **************************************** */ + +typedef struct ndpi_MD5Context { + uint32_t buf[4]; + uint32_t bits[2]; + unsigned char in[64]; +} ndpi_MD5_CTX; + +/* **************************************** */ + +extern void ndpi_MD5Init(ndpi_MD5_CTX *ctx); +extern void ndpi_MD5Update(ndpi_MD5_CTX *ctx, unsigned char const *buf, unsigned len); +extern void ndpi_MD5Final(unsigned char digest[16], ndpi_MD5_CTX *ctx); diff --git a/src/lib/third_party/src/ndpi_md5.c b/src/lib/third_party/src/ndpi_md5.c new file mode 100644 index 000000000..fefe9d65f --- /dev/null +++ b/src/lib/third_party/src/ndpi_md5.c @@ -0,0 +1,204 @@ +/* + Contributed code pasted here to make nDPI self-contained with no + external dependencies +*/ + +#include "ndpi_api.h" +#include "ndpi_md5.h" + +/* **************************************** */ + +static int is_big_endian(void) { + static const int n = 1; + return ((char *) &n)[0] == 0; +} + +static void byte_reverse(unsigned char *buf, unsigned longs) { + // Forrest: MD5 expect LITTLE_ENDIAN, swap if BIG_ENDIAN + if (is_big_endian()) { + do { + u_int32_t t; + + t = (u_int32_t) ((unsigned) buf[3] << 8 | buf[2]) << 16 | + ((unsigned) buf[1] << 8 | buf[0]); + * (u_int32_t *) buf = t; + buf += 4; + } while (--longs); + } +} + +#define F1(x, y, z) (z ^ (x & (y ^ z))) +#define F2(x, y, z) F1(z, x, y) +#define F3(x, y, z) (x ^ y ^ z) +#define F4(x, y, z) (y ^ (x | ~z)) + +#define MD5STEP(f, w, x, y, z, data, s) \ + ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) + +/* **************************************** */ + +// Start MD5 accumulation. Set bit count to 0 and buffer to mysterious +// initialization constants. +void ndpi_MD5Init(ndpi_MD5_CTX *ctx) { + ctx->buf[0] = 0x67452301; + ctx->buf[1] = 0xefcdab89; + ctx->buf[2] = 0x98badcfe; + ctx->buf[3] = 0x10325476; + + ctx->bits[0] = 0; + ctx->bits[1] = 0; +} + +/* **************************************** */ + +static void MD5Transform(u_int32_t buf[4], u_int32_t const in[16]) { + u_int32_t a, b, c, d; + + a = buf[0]; + b = buf[1]; + c = buf[2]; + d = buf[3]; + + MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); + MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); + MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); + MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); + MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); + MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); + MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); + MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); + MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); + MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); + MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); + MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); + MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); + MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); + MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); + MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); + + MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); + MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); + MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); + MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); + MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); + MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); + MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); + MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); + MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); + MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); + MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); + MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); + MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); + MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); + MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); + MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); + + MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); + MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); + MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); + MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); + MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); + MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); + MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); + MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); + MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); + MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); + MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); + MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); + MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); + MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); + MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); + MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); + + MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); + MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); + MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); + MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); + MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); + MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); + MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); + MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); + MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); + MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); + MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); + MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); + MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); + MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); + MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); + MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); + + buf[0] += a; + buf[1] += b; + buf[2] += c; + buf[3] += d; +} + +/* **************************************** */ + +void ndpi_MD5Update(ndpi_MD5_CTX *ctx, unsigned char const *buf, unsigned len) { + u_int32_t t; + + t = ctx->bits[0]; + if ((ctx->bits[0] = t + ((u_int32_t) len << 3)) < t) + ctx->bits[1]++; + ctx->bits[1] += len >> 29; + + t = (t >> 3) & 0x3f; + + if (t) { + unsigned char *p = (unsigned char *) ctx->in + t; + + t = 64 - t; + if (len < t) { + memcpy(p, buf, len); + return; + } + memcpy(p, buf, t); + byte_reverse(ctx->in, 16); + MD5Transform(ctx->buf, (u_int32_t *) ctx->in); + buf += t; + len -= t; + } + + while (len >= 64) { + memcpy(ctx->in, buf, 64); + byte_reverse(ctx->in, 16); + MD5Transform(ctx->buf, (u_int32_t *) ctx->in); + buf += 64; + len -= 64; + } + + memcpy(ctx->in, buf, len); +} + +/* **************************************** */ + +void ndpi_MD5Final(unsigned char digest[16], ndpi_MD5_CTX *ctx) { + unsigned count; + unsigned char *p; + u_int32_t *c = (u_int32_t*)ctx->in; + + count = (ctx->bits[0] >> 3) & 0x3F; + + p = ctx->in + count; + *p++ = 0x80; + count = 64 - 1 - count; + if (count < 8) { + memset(p, 0, count); + byte_reverse(ctx->in, 16); + MD5Transform(ctx->buf, (u_int32_t *) ctx->in); + memset(ctx->in, 0, 56); + } else { + memset(p, 0, count - 8); + } + byte_reverse(ctx->in, 14); + + c[14] = ctx->bits[0]; + c[15] = ctx->bits[1]; + + MD5Transform(ctx->buf, (u_int32_t *) ctx->in); + byte_reverse((unsigned char *) ctx->buf, 4); + memcpy(digest, ctx->buf, 16); + memset((char *) ctx, 0, sizeof(*ctx)); +} + diff --git a/tests/pcap/smbv1.pcap b/tests/pcap/smbv1.pcap Binary files differnew file mode 100644 index 000000000..ad682cdb5 --- /dev/null +++ b/tests/pcap/smbv1.pcap diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index de7a2690c..cc445652b 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -1,4 +1,4 @@ -Unknown 24 6428 14 +Unknown 22 6088 12 DNS 2 378 1 HTTP 524 220123 9 MDNS 1 82 1 @@ -7,8 +7,9 @@ NetBIOS 31 3589 8 SSDP 143 36951 13 DHCP 24 8208 5 QQ 28 5216 2 +STUN 2 340 2 RTP 2 132 1 -SSL 105 21914 7 +TLS 105 21914 7 DHCPV6 10 980 3 Facebook 19 6840 2 Google 3 176 1 @@ -33,17 +34,17 @@ JA3 Host Stats: 11 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 7/HTTP][cat: Web/5][6 pkts/676 bytes <-> 8 pkts/8482 bytes][Host: dl-obs.official.line.naver.jp][PLAIN TEXT (GGET /r/talk/m/4697716971500/pr)] 12 UDP [fe80::9bd:81dd:2fdc:5750]:1900 -> [ff02::c]:1900 [proto: 12/SSDP][cat: System/18][16 pkts/8921 bytes -> 0 pkts/0 bytes][PLAIN TEXT (NOTIFY )] 13 UDP 192.168.5.49:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][16 pkts/8473 bytes -> 0 pkts/0 bytes][PLAIN TEXT (NOTIFY )] - 14 TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91/SSL][cat: Web/5][13 pkts/6269 bytes <-> 10 pkts/1165 bytes] + 14 TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91/TLS][cat: Web/5][13 pkts/6269 bytes <-> 10 pkts/1165 bytes] 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com][PLAIN TEXT (POST /getvinfo HTTP/1.1)] 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][cat: Network/14][14 pkts/4788 bytes -> 0 pkts/0 bytes] - 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes] - 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 64.119/TLS_No_Cert.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes] + 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][TLSv1.2][client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][TLSv1.2][client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][TLSv1.2][client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.137/HTTP.GenericProtocol][cat: Media/1][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi][PLAIN TEXT (GET /api/videos/10410.j)] - 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][TLSv1.2][client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7.137/HTTP.GenericProtocol][cat: Media/1][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi][PLAIN TEXT (GET /api/videos/10410.j)] - 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes] + 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 64.119/TLS_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes] 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/2450 bytes -> 0 pkts/0 bytes][PLAIN TEXT (SEARCH )] 26 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7.137/HTTP.GenericProtocol][cat: Media/1][10 pkts/1406 bytes <-> 4 pkts/980 bytes][Host: kankan.1kxun.com][PLAIN TEXT (GET /api/videos/alsolikes/10410)] 27 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 7/HTTP][cat: Web/5][10 pkts/1428 bytes <-> 4 pkts/867 bytes][Host: 183.131.48.145][PLAIN TEXT (GET /vlive.qq)] @@ -68,7 +69,7 @@ JA3 Host Stats: 46 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][5 pkts/490 bytes -> 0 pkts/0 bytes] 47 UDP [fe80::beee:7bff:fe0c:b3de]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][4 pkts/392 bytes -> 0 pkts/0 bytes] 48 UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/289 bytes][Host: dl-obs.official.line.naver.jp][PLAIN TEXT (official)] - 49 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/SSL][cat: Web/5][4 pkts/220 bytes <-> 2 pkts/132 bytes] + 49 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/TLS][cat: Web/5][4 pkts/220 bytes <-> 2 pkts/132 bytes] 50 UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: joanna-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][PLAIN TEXT (Joanna)] 51 UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: kevin-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][PLAIN TEXT (MSFT 5.07)] 52 UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.137/DNS.GenericProtocol][cat: Media/1][2 pkts/146 bytes <-> 1 pkts/137 bytes][Host: pic.1kxun.com] @@ -88,53 +89,55 @@ JA3 Host Stats: 66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/182 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] 67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] 68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] - 69 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/110 bytes <-> 1 pkts/66 bytes] - 70 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-PC] - 71 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-PC] - 72 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] - 73 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 74 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 75 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: RO_X1C] - 76 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: RO_X1C] - 77 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] - 78 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] - 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] - 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] - 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] - 82 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] - 83 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] - 84 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: Kasper-mac][PLAIN TEXT (Kasper)] - 85 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] - 86 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] - 87 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] - 88 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] - 89 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] - 90 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] - 91 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] - 92 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] - 93 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-PC] - 94 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-PC] - 95 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-PC] - 96 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: Usher-PC] - 97 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: Usher-PC] - 98 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 99 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 100 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: RO_X1C] - 101 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 87/RTP][cat: Media/1][2 pkts/132 bytes -> 0 pkts/0 bytes] - 102 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] - 103 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes] - 104 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes] - 105 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EHEGEJEMEFCACACACACACACACACACA)] - 106 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( FDEBEOEKEJ)] - 107 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] - 108 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] - 109 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] - 110 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] - 111 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] - 112 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] - 113 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-PC] - 114 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-PC] - 115 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] + 69 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 78/STUN][cat: Network/14][1 pkts/177 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] + 70 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/110 bytes <-> 1 pkts/66 bytes] + 71 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 72 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 73 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] + 74 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 75 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 76 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: RO_X1C] + 77 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: RO_X1C] + 78 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 78/STUN][cat: Network/14][1 pkts/163 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.4 )] + 79 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] + 80 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] + 81 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 82 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 83 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 84 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] + 85 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] + 86 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: Kasper-mac][PLAIN TEXT (Kasper)] + 87 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] + 88 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] + 89 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] + 90 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] + 91 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] + 92 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC][PLAIN TEXT (Joanna)] + 93 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] + 94 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] + 95 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 96 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-PC] + 97 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-PC] + 98 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: Usher-PC] + 99 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: Usher-PC] + 100 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 101 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 102 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: RO_X1C] + 103 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 87/RTP][cat: Media/1][2 pkts/132 bytes -> 0 pkts/0 bytes] + 104 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] + 105 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes] + 106 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes] + 107 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EHEGEJEMEFCACACACACACACACACACA)] + 108 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( FDEBEOEKEJ)] + 109 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] + 110 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] + 111 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] + 112 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] + 113 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] + 114 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-PC][PLAIN TEXT (charming)] + 115 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 116 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-PC] + 117 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] Undetected flows: @@ -146,9 +149,7 @@ Undetected flows: 6 UDP 192.168.140.140:62976 -> 255.255.255.255:62976 [proto: 0/Unknown][1 pkts/359 bytes -> 0 pkts/0 bytes][PLAIN TEXT (Switch)] 7 UDP [fe80::4e5e:cff:feea:365]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] 8 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] - 9 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/177 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] - 10 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (AABHZW50cmljZV9)] - 11 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (icRVSoU)] - 12 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.4 )] - 13 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] - 14 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (dDYcTc4)] + 9 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (AABHZW50cmljZV9)] + 10 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (icRVSoU)] + 11 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] + 12 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (dDYcTc4)] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index 7071c5a6e..962af5c2f 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -1,6 +1,6 @@ HTTP 10 1792 1 IMAPS 4 516 2 -SSL 28 15397 1 +TLS 28 15397 1 ICMPV6 48 7862 3 Facebook 37 14726 3 @@ -9,8 +9,8 @@ JA3 Host Stats: 1 2001:470:1f17:13f:3e97:eff:fe73:4dec 2 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][TLSv1.2][JA3C: 812d8bce0f85487ba7834d36568ed586][server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][TLSv1.2][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/TLS][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][TLSv1.2][client: mail.tomasu.net][JA3C: 812d8bce0f85487ba7834d36568ed586][server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][TLSv1.2][client: www.facebook.com][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes] 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net][PLAIN TEXT (GET / HTTP/1.1)] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes][PLAIN TEXT (ds 0/u6)] diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index 6f77c8211..8a97e29e0 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -1,7 +1,7 @@ Unknown 1 66 1 HTTP 116 91784 6 ICMP 5 510 1 -SSL 2 169 1 +TLS 2 169 1 Facebook 251 215986 5 Dropbox 5 725 2 Instagram 363 255094 16 @@ -16,19 +16,19 @@ JA3 Host Stats: 3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Host: photos-g.ak.instagram.com][PLAIN TEXT (GET /hphotos)] 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com][PLAIN TEXT (GET /hphotos)] 5 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Host: photos-g.ak.instagram.com][PLAIN TEXT (GET /hphotos)] - 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][PLAIN TEXT (ny.iaXs)] + 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 64.119/TLS_No_Cert.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][PLAIN TEXT (ny.iaXs)] 7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][cat: Web/5][25 pkts/37100 bytes <-> 24 pkts/1584 bytes][PLAIN TEXT (inOCIM)] 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][cat: Web/5][14 pkts/924 bytes <-> 20 pkts/28115 bytes][PLAIN TEXT (dGQaNFV)] 9 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][cat: Web/5][16 pkts/22931 bytes <-> 9 pkts/594 bytes][PLAIN TEXT (DD.DOo)] - 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][6 pkts/4699 bytes <-> 6 pkts/1345 bytes] - 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][PLAIN TEXT (kpaeC.)] - 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 5 pkts/4020 bytes] + 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][TLSv1][client: igcdn-photos-g-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][TLSv1][client: igcdn-photos-h-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 64.119/TLS_No_Cert.Facebook][cat: SocialNetwork/6][6 pkts/4699 bytes <-> 6 pkts/1345 bytes] + 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][TLSv1][client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][TLSv1][client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][organization: Akamai Technologies Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 64.119/TLS_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][PLAIN TEXT (kpaeC.)] + 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 64.119/TLS_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 5 pkts/4020 bytes] 17 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Host: photos-f.ak.instagram.com][PLAIN TEXT (GET /hphotos)] - 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][JA3S: acb741bcdffb787c5a52654c78645bdf][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][TLSv1][client: telegraph-ash.instagram.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][JA3S: acb741bcdffb787c5a52654c78645bdf][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 19 UDP 192.168.0.106:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/580 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 413767116)] 20 ICMP 192.168.0.103:0 -> 192.168.0.103:0 [proto: 81/ICMP][cat: Network/14][5 pkts/510 bytes -> 0 pkts/0 bytes] 21 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/89 bytes <-> 1 pkts/305 bytes][Host: igcdn-photos-h-a.akamaihd.net][PLAIN TEXT (photos)] @@ -38,7 +38,7 @@ JA3 Host Stats: 25 UDP 192.168.0.103:33603 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-a-a.akamaihd.net][PLAIN TEXT (photos)] 26 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] 27 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 28 TCP 192.168.0.103:58690 -> 46.33.70.159:443 [proto: 91/SSL][cat: Web/5][2 pkts/169 bytes -> 0 pkts/0 bytes] + 28 TCP 192.168.0.103:58690 -> 46.33.70.159:443 [proto: 91/TLS][cat: Web/5][2 pkts/169 bytes -> 0 pkts/0 bytes] 29 UDP 192.168.0.106:17500 -> 192.168.0.255:17500 [proto: 121/Dropbox][cat: Cloud/13][1 pkts/145 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 413767116)] 30 TCP 46.33.70.150:80 <-> 192.168.0.103:40855 [proto: 7/HTTP][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/66 bytes] 31 UDP 192.168.0.103:27124 -> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/85 bytes -> 0 pkts/0 bytes][Host: photos-b.ak.instagram.com][PLAIN TEXT (photos)] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 69220b7d5..ee148678e 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -1,7 +1,7 @@ DNS 2 217 1 HTTP 1 56 1 ICMP 1 147 1 -SSL 23 2689 2 +TLS 23 2689 2 Facebook 215 51809 12 Google 16 1031 3 HTTP_Proxy 26 3926 1 @@ -13,21 +13,21 @@ JA3 Host Stats: 1 10.24.82.188 2 - 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][TLSv1.2][JA3C: 051d20e8adbe8dac78945de300764d5e][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][TLSv1.2][JA3C: 051d20e8adbe8dac78945de300764d5e][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][TLSv1.2][JA3C: 051d20e8adbe8dac78945de300764d5e][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][TLSv1.2][client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][TLSv1.2][client: developers.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][TLSv1.2][client: api.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes] - 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes] - 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/SSL.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][TLSv1][server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (Gyeonggi do)] + 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes] + 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][TLSv1][server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (Gyeonggi do)] 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes] - 14 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/SSL][cat: Web/5][2 pkts/112 bytes <-> 3 pkts/168 bytes] - 15 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][2 pkts/139 bytes <-> 2 pkts/112 bytes] + 14 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/TLS][cat: Web/5][2 pkts/112 bytes <-> 3 pkts/168 bytes] + 15 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][2 pkts/139 bytes <-> 2 pkts/112 bytes] 16 UDP 10.24.82.188:57816 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/78 bytes <-> 1 pkts/166 bytes][Host: katalk.kakao.com][PLAIN TEXT (katalk)] 17 UDP 10.24.82.188:4017 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/85 bytes <-> 1 pkts/144 bytes][Host: developers.facebook.com][PLAIN TEXT (developers)] 18 UDP 10.24.82.188:19582 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/80 bytes <-> 1 pkts/138 bytes][Host: graph.facebook.com][PLAIN TEXT (facebook)] @@ -49,5 +49,5 @@ JA3 Host Stats: 34 UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/97 bytes][Host: dn-l.talk.kakao.com] 35 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][cat: Web/5][1 pkts/164 bytes -> 0 pkts/0 bytes] 36 ICMP 10.24.82.188:0 -> 10.188.191.1:0 [proto: 81/ICMP][cat: Network/14][1 pkts/147 bytes -> 0 pkts/0 bytes] - 37 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/83 bytes -> 0 pkts/0 bytes] + 37 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/83 bytes -> 0 pkts/0 bytes] 38 TCP 120.28.26.242:80 -> 10.24.82.188:34503 [proto: 7/HTTP][cat: Web/5][1 pkts/56 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 3d94751e5..b399fd3e3 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -1,11 +1,10 @@ HTTP 5 280 1 QQ 15 1727 1 RTP 2991 398751 2 -SSL 50 11306 2 +TLS 90 21844 3 Facebook 34 4401 4 Google 4 359 4 HTTP_Proxy 16 1838 2 -Tor 40 10538 1 Amazon 4 396 1 KakaoTalk_Voice 44 6196 2 @@ -16,21 +15,21 @@ JA3 Host Stats: 1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][PLAIN TEXT (46yOXQ)] 2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][PLAIN TEXT (46yOXQ)] - 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 163/Tor][cat: VPN/2][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][PLAIN TEXT (Kakao.com)] - 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/SSL][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes] 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Host: hkminorshort.weixin.qq.com][PLAIN TEXT (POST http)] 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][6 pkts/543 bytes <-> 5 pkts/945 bytes] - 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][cat: Web/5][3 pkts/1044 bytes <-> 2 pkts/154 bytes] + 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][3 pkts/1044 bytes <-> 2 pkts/154 bytes] 11 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 178/Amazon][cat: Web/5][2 pkts/225 bytes <-> 2 pkts/171 bytes][PLAIN TEXT (xiaomi.com)] 12 TCP 10.24.82.188:53974 -> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][cat: Web/5][5 pkts/350 bytes -> 0 pkts/0 bytes] 13 TCP 120.28.26.242:80 <-> 10.24.82.188:34533 [proto: 7/HTTP][cat: Web/5][3 pkts/168 bytes <-> 2 pkts/112 bytes] 14 UDP 10.24.82.188:25223 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/79 bytes <-> 1 pkts/118 bytes][Host: mqtt.facebook.com][PLAIN TEXT (facebook)] 15 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][cat: Web/5][1 pkts/164 bytes -> 0 pkts/0 bytes] - 16 TCP 173.252.88.128:443 -> 10.24.82.188:59912 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][2 pkts/124 bytes -> 0 pkts/0 bytes] - 17 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/83 bytes -> 0 pkts/0 bytes] - 18 TCP 173.194.117.229:443 -> 10.24.82.188:38380 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/56 bytes -> 0 pkts/0 bytes] - 19 TCP 173.252.122.1:443 -> 10.24.82.188:52123 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][1 pkts/56 bytes -> 0 pkts/0 bytes] - 20 TCP 216.58.220.161:443 -> 10.24.82.188:56697 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/56 bytes -> 0 pkts/0 bytes] + 16 TCP 173.252.88.128:443 -> 10.24.82.188:59912 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][2 pkts/124 bytes -> 0 pkts/0 bytes] + 17 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/83 bytes -> 0 pkts/0 bytes] + 18 TCP 173.194.117.229:443 -> 10.24.82.188:38380 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/56 bytes -> 0 pkts/0 bytes] + 19 TCP 173.252.122.1:443 -> 10.24.82.188:52123 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][1 pkts/56 bytes -> 0 pkts/0 bytes] + 20 TCP 216.58.220.161:443 -> 10.24.82.188:56697 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/56 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out index 370b998cb..f37856c45 100644 --- a/tests/result/dnscrypt.pcap.out +++ b/tests/result/dnscrypt.pcap.out @@ -1,11 +1,11 @@ -SSL 111 44676 4 +TLS 111 44676 4 JA3 Host Stats: IP Address # JA3C 1 192.168.43.167 2 - 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][TLSv1.2][JA3C: b8f81673c0e1d29908346f3bab892b9b][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][TLSv1.2][client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][TLSv1.2][client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out index 3a52bb53a..5988701ec 100644 --- a/tests/result/facebook.pcap.out +++ b/tests/result/facebook.pcap.out @@ -5,5 +5,5 @@ JA3 Host Stats: 1 192.168.43.18 2 - 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][TLSv1.2][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][TLSv1.2][JA3C: bfcc1a3891601edb4f137ab7ab25b840][server: *.facebook.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][TLSv1.2][client: www.facebook.com][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][TLSv1.2][client: facebook.com][JA3C: bfcc1a3891601edb4f137ab7ab25b840][server: *.facebook.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index 52d500449..6675d2462 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -4,4 +4,4 @@ JA3 Host Stats: IP Address # JA3C - 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/SSL.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][TLSv1][server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_SHA] + 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/TLS.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][TLSv1][server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_SHA] diff --git a/tests/result/hangout.pcap.out b/tests/result/hangout.pcap.out index fada1ad79..5e8faba55 100644 --- a/tests/result/hangout.pcap.out +++ b/tests/result/hangout.pcap.out @@ -1,3 +1,3 @@ GoogleHangoutDuo 19 2774 1 - 1 UDP 74.125.134.127:19305 -> 10.89.61.13:56406 [proto: 201/GoogleHangoutDuo][cat: VoIP/10][19 pkts/2774 bytes -> 0 pkts/0 bytes][PLAIN TEXT (sdiKGkw)] + 1 UDP 74.125.134.127:19305 -> 10.89.61.13:56406 [proto: 78.201/STUN.GoogleHangoutDuo][cat: VoIP/10][19 pkts/2774 bytes -> 0 pkts/0 bytes][PLAIN TEXT (sdiKGkw)] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 3e179b9e1..d4abf05ae 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -1,5 +1,5 @@ ntop 80 36401 4 -SSL 26 3245 7 +TLS 26 3245 7 Facebook 22 10202 2 Google 62 15977 1 QUIC 3 502 1 @@ -10,17 +10,17 @@ JA3 Host Stats: 1 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][cat: Web/5][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Host: www.google.it][PLAIN TEXT (www.google.it)] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] - 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][organization: Facebook, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][TLSv1.2][JA3C: d3e627f423a33ea41841c19b8af79293][server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][organization: Facebook, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/SSL][cat: Web/5][7 pkts/860 bytes <-> 7 pkts/1353 bytes] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][TLSv1][client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][TLSv1][client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293] + 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][TLSv1][client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][TLSv1][client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293] + 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][TLSv1.2][client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][organization: Facebook, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][TLSv1.2][client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][organization: Facebook, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/TLS][cat: Web/5][7 pkts/860 bytes <-> 7 pkts/1353 bytes] 9 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][cat: Web/5][2 pkts/359 bytes <-> 1 pkts/143 bytes] - 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40526 <-> [2a00:1450:4006:804::200e]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:58660 <-> [2a00:1450:4006:803::2008]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 14 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:59690 <-> [2a00:1450:4001:803::1012]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 15 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40526 <-> [2a00:1450:4006:804::200e]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:58660 <-> [2a00:1450:4006:803::2008]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 14 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:59690 <-> [2a00:1450:4001:803::1012]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 15 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index 2a374f71e..bf05cc4c3 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -13,16 +13,16 @@ JA3 Host Stats: 2 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Host: 23.246.3.140][PLAIN TEXT (oMrLRiWL)] 3 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Host: 23.246.11.133][PLAIN TEXT (oMrLRiWL1)] 4 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Host: tp.akam.nflximg.com][PLAIN TEXT (GET /tpa3/616/2041779616.bif HT)] - 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: secure.cdn.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] + 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][TLSv1.2][client: art-s.nflximg.net][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: secure.cdn.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 6 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Host: 23.246.11.141][PLAIN TEXT (oMrLRiWL2)] 7 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Host: art-2.nflximg.net][PLAIN TEXT (GET /5758)] - 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][TLSv1.2][client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 10 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2040 bytes <-> 34 pkts/45136 bytes][PLAIN TEXT (GET /range/0)] 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1868 bytes <-> 34 pkts/45139 bytes][PLAIN TEXT (GET /range/0)] 12 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Host: art-2.nflximg.net][PLAIN TEXT (GET /af)] 13 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1826 bytes <-> 32 pkts/43179 bytes][PLAIN TEXT (GET /range/0)] - 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 15 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Host: art-1.nflximg.net][PLAIN TEXT (GET /8b)] 16 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2596 bytes <-> 29 pkts/37544 bytes][PLAIN TEXT (czGET /range/0)] 17 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Host: art-1.nflximg.net][PLAIN TEXT (GET /4e)] @@ -30,31 +30,31 @@ JA3 Host Stats: 19 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][33 pkts/2732 bytes <-> 25 pkts/30064 bytes][PLAIN TEXT (GET /range/0)] 20 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2041 bytes <-> 25 pkts/30064 bytes][PLAIN TEXT (GET /range/0)] 21 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2571 bytes <-> 22 pkts/28042 bytes][PLAIN TEXT (GET /range/0)] - 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][TLSv1.2][JA3C: d8bfad189bd26664e04570c104ee8418][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: d8bfad189bd26664e04570c104ee8418][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 23 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][32 pkts/2572 bytes <-> 23 pkts/26661 bytes][PLAIN TEXT (fGET /range/0)] 24 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][36 pkts/3030 bytes <-> 21 pkts/25455 bytes][PLAIN TEXT (GET /range/0)] 25 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2864 bytes <-> 21 pkts/25456 bytes][PLAIN TEXT (GET /range/0)] 26 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2553 bytes <-> 22 pkts/25510 bytes][PLAIN TEXT (GET /range/0)] - 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][TLSv1.2][client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 29 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][35 pkts/2920 bytes <-> 19 pkts/22428 bytes][PLAIN TEXT (GET /range/0)] 30 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2879 bytes <-> 20 pkts/22373 bytes][PLAIN TEXT (GET /range/0)] 31 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2610 bytes <-> 20 pkts/22422 bytes][PLAIN TEXT (GET /range/0)] - 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][TLSv1.2][client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Host: api-global.netflix.com][PLAIN TEXT (POST /msl/nrdjs/2.1.2 HTTP/1.1)] - 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][TLSv1.2][client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 36 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Host: art-2.nflximg.net][PLAIN TEXT (GET /87)] - 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][TLSv1.2][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][TLSv1.2][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][TLSv1.2][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][TLSv1.2][client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][TLSv1.2][client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][TLSv1.2][client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][TLSv1.2][client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][TLSv1.2][client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][TLSv1.2][client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][organization: Netflix, Inc.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][TLSv1.2][client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 47 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][16 pkts/2648 bytes -> 0 pkts/0 bytes][PLAIN TEXT (SEARCH )] 48 UDP 192.168.1.7:51543 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com][PLAIN TEXT (netflix)] 49 UDP 192.168.1.7:51622 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com][PLAIN TEXT (netflix)] @@ -68,5 +68,5 @@ JA3 Host Stats: 57 UDP 192.168.1.7:57719 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/85 bytes <-> 1 pkts/137 bytes][Host: sha2.san.akam.nflximg.net][PLAIN TEXT (akamaiedge)] 58 UDP 192.168.1.7:57093 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/113 bytes][Host: a1907.dscg.akamai.net][PLAIN TEXT (akamai)] 59 UDP 192.168.1.7:51728 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/80 bytes <-> 1 pkts/112 bytes][Host: a803.dscg.akamai.net][PLAIN TEXT (akamai)] - 60 TCP 192.168.1.7:52929 -> 52.24.87.6:443 [proto: 91.178/SSL.Amazon][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] + 60 TCP 192.168.1.7:52929 -> 52.24.87.6:443 [proto: 91.178/TLS.Amazon][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] 61 IGMP 192.168.1.7:0 -> 239.255.255.250:0 [proto: 82/IGMP][cat: Network/14][1 pkts/60 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index 934c8cc29..903ae840f 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -10,9 +10,9 @@ JA3 Host Stats: 1 UDP 192.168.12.114:55915 <-> 185.118.169.65:27520 [proto: 173/Nintendo][cat: Game/8][169 pkts/61414 bytes <-> 278 pkts/126260 bytes][PLAIN TEXT (pluHnq)] 2 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][cat: Game/8][122 pkts/48332 bytes <-> 35 pkts/5026 bytes] 3 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][cat: Game/8][122 pkts/46476 bytes <-> 38 pkts/5268 bytes][PLAIN TEXT (FutwCa)] - 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 64.178/SSL_No_Cert.Amazon][cat: Web/5][34 pkts/4466 bytes <-> 20 pkts/4021 bytes] - 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/SSL.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][TLSv1.2][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Nintendo Co., Ltd.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/SSL.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][TLSv1.2][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Nintendo Co., Ltd.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 64.178/TLS_No_Cert.Amazon][cat: Web/5][34 pkts/4466 bytes <-> 20 pkts/4021 bytes] + 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][TLSv1.2][client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Nintendo Co., Ltd.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][TLSv1.2][client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Nintendo Co., Ltd.][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 7 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][cat: Game/8][23 pkts/2682 bytes <-> 16 pkts/3408 bytes] 8 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][cat: Game/8][8 pkts/1024 bytes <-> 8 pkts/1024 bytes] 9 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][cat: Game/8][8 pkts/1040 bytes <-> 7 pkts/922 bytes] @@ -27,4 +27,4 @@ JA3 Host Stats: 18 UDP 192.168.12.114:55915 -> 35.158.74.61:33335 [proto: 178/Amazon][cat: Web/5][3 pkts/318 bytes -> 0 pkts/0 bytes][PLAIN TEXT (NATTestId)] 19 UDP 192.168.12.114:55915 -> 52.10.205.177:34343 [proto: 178/Amazon][cat: Web/5][1 pkts/298 bytes -> 0 pkts/0 bytes] 20 UDP 192.168.12.114:55915 -> 35.158.74.61:33334 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes -> 0 pkts/0 bytes] - 21 TCP 192.168.12.114:11534 <-> 54.146.242.74:443 [proto: 91.178/SSL.Amazon][cat: Web/5][1 pkts/54 bytes <-> 1 pkts/54 bytes] + 21 TCP 192.168.12.114:11534 <-> 54.146.242.74:443 [proto: 91.178/TLS.Amazon][cat: Web/5][1 pkts/54 bytes <-> 1 pkts/54 bytes] diff --git a/tests/result/ocs.pcap.out b/tests/result/ocs.pcap.out index 960f84ba7..7354137cb 100644 --- a/tests/result/ocs.pcap.out +++ b/tests/result/ocs.pcap.out @@ -13,12 +13,12 @@ JA3 Host Stats: 1 TCP 192.168.180.2:49881 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][cat: Media/1][751 pkts/44783 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws][PLAIN TEXT (POST /catalog/vod)] - 2 TCP 192.168.180.2:36680 -> 178.248.208.54:443 [proto: 91.218/SSL.OCS][cat: Media/1][20 pkts/6089 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 0534a22b266a64a5cc9a90f7b5c483cc] + 2 TCP 192.168.180.2:36680 -> 178.248.208.54:443 [proto: 91.218/TLS.OCS][cat: Media/1][20 pkts/6089 bytes -> 0 pkts/0 bytes][TLSv1][client: ocs.labgency.ws][JA3C: 0534a22b266a64a5cc9a90f7b5c483cc] 3 TCP 192.168.180.2:42590 -> 178.248.208.210:80 [proto: 7.218/HTTP.OCS][cat: Media/1][83 pkts/5408 bytes -> 0 pkts/0 bytes][Host: www.ocs.fr][PLAIN TEXT (GET /data)] - 4 TCP 192.168.180.2:39263 -> 23.21.230.199:443 [proto: 91.178/SSL.Amazon][cat: Web/5][20 pkts/2715 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: b030dba3ca09e2e484b9fa75adc4039c] - 5 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.239/SSL.GoogleServices][cat: Web/5][12 pkts/2212 bytes -> 0 pkts/0 bytes][TLSv1.2][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1] - 6 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/SSL.Google][cat: Web/5][12 pkts/1608 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66] - 7 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/SSL.Google][cat: Web/5][13 pkts/1448 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66] + 4 TCP 192.168.180.2:39263 -> 23.21.230.199:443 [proto: 91.178/TLS.Amazon][cat: Web/5][20 pkts/2715 bytes -> 0 pkts/0 bytes][TLSv1][client: settings.crashlytics.com][JA3C: b030dba3ca09e2e484b9fa75adc4039c] + 5 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.239/TLS.GoogleServices][cat: Web/5][12 pkts/2212 bytes -> 0 pkts/0 bytes][TLSv1.2][client: mtalk.google.com][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1] + 6 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/TLS.Google][cat: Web/5][12 pkts/1608 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66] + 7 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/TLS.Google][cat: Web/5][13 pkts/1448 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66] 8 TCP 192.168.180.2:48250 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][cat: Media/1][6 pkts/1092 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws][PLAIN TEXT (POST /catalog/vod)] 9 TCP 192.168.180.2:44959 -> 137.135.129.206:80 [proto: 7.7/HTTP][cat: Web/5][7 pkts/540 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com][PLAIN TEXT (GET /ip)] 10 TCP 192.168.180.2:53356 -> 137.135.129.206:80 [proto: 7.7/HTTP][cat: Web/5][6 pkts/479 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com][PLAIN TEXT (GET /xmpp)] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index cbf4d6a58..1541c0928 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -6,7 +6,7 @@ SSDP 101 38156 6 SkypeCall 730 71378 170 ICMP 8 656 1 IGMP 5 258 4 -SSL 96 8876 7 +TLS 96 8876 7 Dropbox 38 17948 5 Skype 1409 253031 79 Apple 3 168 1 @@ -20,93 +20,93 @@ JA3 Host Stats: 1 192.168.1.34 1 - 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][PLAIN TEXT ( 0sKWL)] 3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][PLAIN TEXT (NOTIFY )] - 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/SSL.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][TLSv1.2][client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 5 TCP 192.168.1.34:50119 <-> 86.31.35.30:59621 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][62 pkts/6941 bytes <-> 38 pkts/5325 bytes] 6 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/7281 bytes -> 0 pkts/0 bytes][PLAIN TEXT (NOTIFY )] - 7 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 64.121/SSL_No_Cert.Dropbox][cat: Cloud/13][8 pkts/1636 bytes <-> 8 pkts/4344 bytes] + 7 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 64.121/TLS_No_Cert.Dropbox][cat: Cloud/13][8 pkts/1636 bytes <-> 8 pkts/4344 bytes] 8 TCP 192.168.1.34:50117 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][24 pkts/3136 bytes <-> 19 pkts/2618 bytes] 9 TCP 192.168.1.34:50126 <-> 91.190.216.23:12350 [proto: 125/Skype][cat: VoIP/10][16 pkts/4788 bytes <-> 4 pkts/372 bytes] 10 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][19 pkts/2797 bytes <-> 13 pkts/2175 bytes] 11 TCP 192.168.1.34:50118 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][18 pkts/2588 bytes <-> 13 pkts/2100 bytes] 12 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][15 pkts/2395 bytes <-> 8 pkts/1724 bytes] - 13 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] - 14 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] + 13 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][TLSv1][client: apps.skypeassets.com][JA3C: 799135475da362592a4be9199d258726] + 14 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][TLSv1][client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] 15 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 1573195445)] 16 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 1573195445)] 17 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)] 18 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)] - 19 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 64.125/SSL_No_Cert.Skype][cat: VoIP/10][12 pkts/2140 bytes <-> 3 pkts/200 bytes][PLAIN TEXT (apps.skype.com)] + 19 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 64.125/TLS_No_Cert.Skype][cat: VoIP/10][12 pkts/2140 bytes <-> 3 pkts/200 bytes][PLAIN TEXT (apps.skype.com)] 20 TCP 192.168.1.34:50134 <-> 157.56.53.47:12350 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/1578 bytes <-> 4 pkts/342 bytes] 21 TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/1211 bytes <-> 6 pkts/666 bytes] - 22 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][13 pkts/1554 bytes <-> 3 pkts/200 bytes] + 22 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][13 pkts/1554 bytes <-> 3 pkts/200 bytes] 23 TCP 192.168.1.34:50122 <-> 81.133.19.185:44431 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1090 bytes <-> 6 pkts/534 bytes] - 24 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/SSL][cat: Web/5][13 pkts/1392 bytes <-> 3 pkts/200 bytes] - 25 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1305 bytes <-> 3 pkts/285 bytes] - 26 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/1218 bytes <-> 4 pkts/351 bytes] - 27 TCP 192.168.1.34:50080 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1249 bytes <-> 3 pkts/285 bytes] - 28 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/955 bytes <-> 9 pkts/561 bytes] - 29 TCP 192.168.1.34:50081 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1270 bytes <-> 3 pkts/243 bytes] + 24 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/TLS][cat: Web/5][13 pkts/1392 bytes <-> 3 pkts/200 bytes] + 25 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1305 bytes <-> 3 pkts/285 bytes] + 26 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/1218 bytes <-> 4 pkts/351 bytes] + 27 TCP 192.168.1.34:50080 <-> 157.55.235.156:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1249 bytes <-> 3 pkts/285 bytes] + 28 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/955 bytes <-> 9 pkts/561 bytes] + 29 TCP 192.168.1.34:50081 <-> 157.55.130.176:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1270 bytes <-> 3 pkts/243 bytes] 30 TCP 192.168.1.34:50116 <-> 81.83.77.141:17639 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][15 pkts/1138 bytes <-> 4 pkts/372 bytes] 31 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1075 bytes <-> 4 pkts/431 bytes] 32 TCP 192.168.1.34:50075 <-> 213.199.179.142:40003 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1100 bytes <-> 5 pkts/395 bytes] - 33 TCP 192.168.1.34:50072 <-> 157.55.130.170:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1207 bytes <-> 3 pkts/277 bytes] - 34 TCP 192.168.1.34:50066 <-> 65.55.223.12:443 [proto: 91/SSL][cat: Web/5][12 pkts/1221 bytes <-> 3 pkts/231 bytes] + 33 TCP 192.168.1.34:50072 <-> 157.55.130.170:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1207 bytes <-> 3 pkts/277 bytes] + 34 TCP 192.168.1.34:50066 <-> 65.55.223.12:443 [proto: 91/TLS][cat: Web/5][12 pkts/1221 bytes <-> 3 pkts/231 bytes] 35 TCP 192.168.1.34:50137 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1062 bytes <-> 4 pkts/383 bytes] 36 TCP 192.168.1.34:50076 <-> 157.55.235.156:40014 [proto: 125/Skype][cat: VoIP/10][14 pkts/1083 bytes <-> 4 pkts/359 bytes] 37 TCP 192.168.1.34:50054 <-> 157.55.130.153:40005 [proto: 125/Skype][cat: VoIP/10][13 pkts/1020 bytes <-> 4 pkts/421 bytes] 38 TCP 192.168.1.34:50132 <-> 149.13.32.15:13392 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/1010 bytes <-> 5 pkts/402 bytes] - 39 TCP 192.168.1.34:50045 <-> 157.55.130.167:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1151 bytes <-> 3 pkts/260 bytes] + 39 TCP 192.168.1.34:50045 <-> 157.55.130.167:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1151 bytes <-> 3 pkts/260 bytes] 40 TCP 192.168.1.34:50114 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1040 bytes <-> 4 pkts/362 bytes] 41 TCP 192.168.1.34:50065 <-> 65.55.223.12:40031 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/1004 bytes <-> 4 pkts/397 bytes] - 42 TCP 192.168.1.34:50069 <-> 157.55.56.160:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/1050 bytes <-> 4 pkts/351 bytes] + 42 TCP 192.168.1.34:50069 <-> 157.55.56.160:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/1050 bytes <-> 4 pkts/351 bytes] 43 TCP 192.168.1.34:50034 <-> 157.55.130.140:40033 [proto: 125/Skype][cat: VoIP/10][13 pkts/1010 bytes <-> 4 pkts/390 bytes] 44 TCP 192.168.1.34:50088 <-> 157.55.235.146:33033 [proto: 125/Skype][cat: VoIP/10][14 pkts/1085 bytes <-> 4 pkts/315 bytes] - 45 TCP 192.168.1.34:50102 <-> 65.55.223.15:443 [proto: 91/SSL][cat: Web/5][11 pkts/1140 bytes <-> 3 pkts/250 bytes] + 45 TCP 192.168.1.34:50102 <-> 65.55.223.15:443 [proto: 91/TLS][cat: Web/5][11 pkts/1140 bytes <-> 3 pkts/250 bytes] 46 TCP 192.168.1.34:50092 <-> 157.55.130.155:40020 [proto: 125/Skype][cat: VoIP/10][13 pkts/975 bytes <-> 4 pkts/412 bytes] 47 TCP 192.168.1.34:50115 <-> 86.31.35.30:59621 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/995 bytes <-> 4 pkts/391 bytes] 48 TCP 192.168.1.34:50098 <-> 65.55.223.15:40026 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/995 bytes <-> 4 pkts/386 bytes] 49 TCP 192.168.1.34:50130 <-> 212.161.8.36:13392 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/1000 bytes <-> 4 pkts/380 bytes] - 50 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/SSL][cat: Web/5][13 pkts/1176 bytes <-> 3 pkts/200 bytes] + 50 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/TLS][cat: Web/5][13 pkts/1176 bytes <-> 3 pkts/200 bytes] 51 TCP 192.168.1.34:50097 <-> 157.55.235.176:40022 [proto: 125/Skype][cat: VoIP/10][13 pkts/1000 bytes <-> 4 pkts/371 bytes] 52 TCP 192.168.1.34:50026 <-> 65.55.223.33:40002 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/971 bytes <-> 4 pkts/399 bytes] 53 TCP 192.168.1.34:50033 <-> 157.55.56.170:40015 [proto: 125/Skype][cat: VoIP/10][13 pkts/977 bytes <-> 4 pkts/384 bytes] 54 TCP 192.168.1.34:50053 <-> 157.55.56.146:40030 [proto: 125/Skype][cat: VoIP/10][12 pkts/940 bytes <-> 5 pkts/415 bytes] 55 TCP 192.168.1.34:50099 <-> 64.4.23.166:40022 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/948 bytes <-> 4 pkts/407 bytes] 56 TCP 192.168.1.34:50044 <-> 157.55.130.167:40031 [proto: 125/Skype][cat: VoIP/10][13 pkts/993 bytes <-> 4 pkts/360 bytes] - 57 TCP 192.168.1.34:50051 <-> 157.55.130.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1074 bytes <-> 3 pkts/277 bytes] - 58 TCP 192.168.1.34:50057 <-> 157.55.130.153:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1102 bytes <-> 3 pkts/247 bytes] - 59 TCP 192.168.1.34:50048 <-> 157.55.130.150:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1109 bytes <-> 3 pkts/236 bytes] + 57 TCP 192.168.1.34:50051 <-> 157.55.130.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1074 bytes <-> 3 pkts/277 bytes] + 58 TCP 192.168.1.34:50057 <-> 157.55.130.153:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1102 bytes <-> 3 pkts/247 bytes] + 59 TCP 192.168.1.34:50048 <-> 157.55.130.150:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1109 bytes <-> 3 pkts/236 bytes] 60 TCP 192.168.1.34:50077 <-> 157.55.130.176:40022 [proto: 125/Skype][cat: VoIP/10][13 pkts/1004 bytes <-> 4 pkts/334 bytes] - 61 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/1074 bytes <-> 3 pkts/254 bytes] + 61 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/1074 bytes <-> 3 pkts/254 bytes] 62 TCP 192.168.1.34:50074 <-> 157.55.130.173:40003 [proto: 125/Skype][cat: VoIP/10][13 pkts/1010 bytes <-> 4 pkts/317 bytes] - 63 TCP 192.168.1.34:50078 <-> 157.55.130.173:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1088 bytes <-> 3 pkts/236 bytes] + 63 TCP 192.168.1.34:50078 <-> 157.55.130.173:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1088 bytes <-> 3 pkts/236 bytes] 64 TCP 192.168.1.34:50070 <-> 157.55.130.170:40018 [proto: 125/Skype][cat: VoIP/10][13 pkts/989 bytes <-> 4 pkts/323 bytes] - 65 TCP 192.168.1.34:50030 <-> 65.55.223.33:443 [proto: 91/SSL][cat: Web/5][11 pkts/960 bytes <-> 4 pkts/351 bytes] + 65 TCP 192.168.1.34:50030 <-> 65.55.223.33:443 [proto: 91/TLS][cat: Web/5][11 pkts/960 bytes <-> 4 pkts/351 bytes] 66 TCP 192.168.1.34:50032 <-> 157.56.52.44:40032 [proto: 125/Skype][cat: VoIP/10][12 pkts/969 bytes <-> 4 pkts/337 bytes] - 67 TCP 192.168.1.34:50094 <-> 157.55.130.155:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1039 bytes <-> 3 pkts/267 bytes] + 67 TCP 192.168.1.34:50094 <-> 157.55.130.155:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1039 bytes <-> 3 pkts/267 bytes] 68 TCP 192.168.1.34:50067 <-> 157.55.56.160:40027 [proto: 125/Skype][cat: VoIP/10][12 pkts/899 bytes <-> 5 pkts/406 bytes] 69 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/982 bytes <-> 4 pkts/322 bytes] - 70 TCP 192.168.1.34:50063 <-> 111.221.74.38:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/1002 bytes <-> 3 pkts/285 bytes] + 70 TCP 192.168.1.34:50063 <-> 111.221.74.38:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/1002 bytes <-> 3 pkts/285 bytes] 71 TCP 192.168.1.34:50049 <-> 157.55.130.166:40021 [proto: 125/Skype][cat: VoIP/10][11 pkts/836 bytes <-> 5 pkts/442 bytes] 72 TCP 192.168.1.34:50086 <-> 111.221.77.142:40023 [proto: 125/Skype][cat: VoIP/10][11 pkts/841 bytes <-> 5 pkts/429 bytes] - 73 TCP 192.168.1.34:50056 <-> 157.55.56.146:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/999 bytes <-> 4 pkts/266 bytes] - 74 TCP 192.168.1.34:50038 <-> 157.55.130.140:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1032 bytes <-> 3 pkts/230 bytes] + 73 TCP 192.168.1.34:50056 <-> 157.55.56.146:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/999 bytes <-> 4 pkts/266 bytes] + 74 TCP 192.168.1.34:50038 <-> 157.55.130.140:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1032 bytes <-> 3 pkts/230 bytes] 75 TCP 192.168.1.34:50055 <-> 111.221.74.47:40030 [proto: 125/Skype][cat: VoIP/10][11 pkts/866 bytes <-> 5 pkts/396 bytes] 76 TCP 192.168.1.34:50112 <-> 76.167.161.6:20274 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/843 bytes <-> 4 pkts/411 bytes] 77 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/994 bytes <-> 2 pkts/243 bytes] 78 TCP 192.168.1.34:50059 <-> 111.221.74.38:40015 [proto: 125/Skype][cat: VoIP/10][11 pkts/820 bytes <-> 5 pkts/416 bytes] 79 TCP 192.168.1.34:50046 <-> 157.55.130.150:40011 [proto: 125/Skype][cat: VoIP/10][11 pkts/843 bytes <-> 4 pkts/386 bytes] 80 TCP 192.168.1.34:50096 <-> 111.221.74.46:40027 [proto: 125/Skype][cat: VoIP/10][11 pkts/822 bytes <-> 4 pkts/390 bytes] - 81 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/857 bytes <-> 4 pkts/351 bytes] + 81 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/857 bytes <-> 4 pkts/351 bytes] 82 TCP 192.168.1.34:50113 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/827 bytes <-> 3 pkts/325 bytes] - 83 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/SSL][cat: Web/5][9 pkts/862 bytes <-> 3 pkts/285 bytes] + 83 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/TLS][cat: Web/5][9 pkts/862 bytes <-> 3 pkts/285 bytes] 84 TCP 192.168.1.34:50143 <-> 78.202.226.115:29059 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/935 bytes <-> 2 pkts/197 bytes] - 85 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/237 bytes] + 85 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/237 bytes] 86 TCP 192.168.1.34:50135 <-> 76.167.161.6:20274 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/838 bytes <-> 3 pkts/270 bytes] - 87 TCP 192.168.1.34:50087 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][9 pkts/822 bytes <-> 3 pkts/285 bytes] + 87 TCP 192.168.1.34:50087 <-> 111.221.77.142:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][9 pkts/822 bytes <-> 3 pkts/285 bytes] 88 TCP 192.168.1.34:50136 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/814 bytes <-> 3 pkts/287 bytes] 89 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/908 bytes -> 0 pkts/0 bytes][PLAIN TEXT (afpovertc)] 90 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/828 bytes -> 0 pkts/0 bytes][PLAIN TEXT (afpovertc)] @@ -129,7 +129,7 @@ JA3 Host Stats: 107 UDP 192.168.1.34:52742 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] 108 UDP 192.168.1.34:56387 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] 109 UDP 192.168.1.34:57288 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] - 110 TCP 192.168.1.34:50146 -> 157.56.53.51:443 [proto: 91/SSL][cat: Web/5][8 pkts/608 bytes -> 0 pkts/0 bytes] + 110 TCP 192.168.1.34:50146 -> 157.56.53.51:443 [proto: 91/TLS][cat: Web/5][8 pkts/608 bytes -> 0 pkts/0 bytes] 111 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][6 pkts/353 bytes <-> 4 pkts/246 bytes] 112 UDP 192.168.1.34:49163 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com][PLAIN TEXT (config)] 113 UDP 192.168.1.34:51802 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com][PLAIN TEXT (config)] @@ -155,7 +155,7 @@ JA3 Host Stats: 133 UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)] 134 UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)] 135 UDP 192.168.1.34:64085 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e7768.b.akamaiedge.net][PLAIN TEXT (akamaiedge)] - 136 TCP 192.168.1.34:50024 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/60 bytes] + 136 TCP 192.168.1.34:50024 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/60 bytes] 137 IGMP 192.168.0.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][cat: Network/14][2 pkts/92 bytes -> 0 pkts/0 bytes] 138 UDP 192.168.1.34:13021 -> 64.4.23.145:40024 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][1 pkts/79 bytes -> 0 pkts/0 bytes] 139 UDP 192.168.1.34:13021 -> 65.55.223.26:40004 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][1 pkts/79 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 57e6cdc87..81fdd9577 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -6,7 +6,7 @@ SSDP 40 14100 3 SkypeCall 454 39996 164 ICMP 4 328 1 IGMP 4 226 4 -SSL 79 7742 6 +TLS 79 7742 6 Dropbox 16 7342 5 Skype 837 150140 59 Apple 76 19581 1 @@ -18,39 +18,39 @@ JA3 Host Stats: 1 192.168.1.34 1 - 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][PLAIN TEXT (nZREBS)] - 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 64.140/SSL_No_Cert.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][PLAIN TEXT (/tBGEll)] + 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 64.140/TLS_No_Cert.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][PLAIN TEXT (/tBGEll)] 4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][PLAIN TEXT (NOTIFY )] 5 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][17 pkts/2686 bytes <-> 13 pkts/2218 bytes] 6 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/2194 bytes <-> 8 pkts/1711 bytes] - 7 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] + 7 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][TLSv1][client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] 8 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][cat: VoIP/10][12 pkts/3242 bytes <-> 3 pkts/290 bytes] - 9 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 64.121/SSL_No_Cert.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][PLAIN TEXT (ZeNjsq)] - 10 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 64.125/SSL_No_Cert.Skype][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][PLAIN TEXT (apps.skype.com)] - 11 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][13 pkts/1446 bytes <-> 4 pkts/266 bytes] - 12 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/SSL][cat: Web/5][13 pkts/1437 bytes <-> 3 pkts/200 bytes] - 13 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1333 bytes <-> 3 pkts/251 bytes] - 14 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1284 bytes <-> 3 pkts/285 bytes] - 15 TCP 192.168.1.34:51239 <-> 65.55.223.45:443 [proto: 91/SSL][cat: Web/5][12 pkts/1291 bytes <-> 3 pkts/242 bytes] - 16 TCP 192.168.1.34:51274 <-> 157.55.235.152:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1235 bytes <-> 3 pkts/285 bytes] - 17 TCP 192.168.1.34:51260 <-> 157.55.130.142:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1249 bytes <-> 3 pkts/265 bytes] + 9 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 64.121/TLS_No_Cert.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][PLAIN TEXT (ZeNjsq)] + 10 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 64.125/TLS_No_Cert.Skype][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][PLAIN TEXT (apps.skype.com)] + 11 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][13 pkts/1446 bytes <-> 4 pkts/266 bytes] + 12 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/TLS][cat: Web/5][13 pkts/1437 bytes <-> 3 pkts/200 bytes] + 13 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1333 bytes <-> 3 pkts/251 bytes] + 14 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1284 bytes <-> 3 pkts/285 bytes] + 15 TCP 192.168.1.34:51239 <-> 65.55.223.45:443 [proto: 91/TLS][cat: Web/5][12 pkts/1291 bytes <-> 3 pkts/242 bytes] + 16 TCP 192.168.1.34:51274 <-> 157.55.235.152:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1235 bytes <-> 3 pkts/285 bytes] + 17 TCP 192.168.1.34:51260 <-> 157.55.130.142:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1249 bytes <-> 3 pkts/265 bytes] 18 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1104 bytes <-> 5 pkts/392 bytes] 19 TCP 192.168.1.34:51269 <-> 213.199.179.175:40029 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1106 bytes <-> 5 pkts/385 bytes] 20 TCP 192.168.1.34:51290 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1070 bytes <-> 4 pkts/420 bytes] 21 TCP 192.168.1.34:51234 <-> 157.55.235.147:40001 [proto: 125/Skype][cat: VoIP/10][14 pkts/1117 bytes <-> 4 pkts/337 bytes] - 22 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][cat: Web/5][11 pkts/1164 bytes <-> 3 pkts/268 bytes] - 23 TCP 192.168.1.34:51247 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/1077 bytes <-> 4 pkts/351 bytes] + 22 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/TLS][cat: Web/5][11 pkts/1164 bytes <-> 3 pkts/268 bytes] + 23 TCP 192.168.1.34:51247 <-> 157.56.52.44:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/1077 bytes <-> 4 pkts/351 bytes] 24 TCP 192.168.1.34:51257 <-> 157.55.235.170:40032 [proto: 125/Skype][cat: VoIP/10][14 pkts/1059 bytes <-> 4 pkts/367 bytes] 25 TCP 192.168.1.34:51277 <-> 157.55.235.156:40026 [proto: 125/Skype][cat: VoIP/10][13 pkts/1011 bytes <-> 4 pkts/415 bytes] 26 TCP 192.168.1.34:51305 <-> 149.13.32.15:13392 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][14 pkts/1093 bytes <-> 4 pkts/333 bytes] - 27 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/SSL][cat: Web/5][12 pkts/1130 bytes <-> 3 pkts/285 bytes] - 28 TCP 192.168.1.34:51280 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1130 bytes <-> 3 pkts/285 bytes] - 29 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1095 bytes <-> 3 pkts/285 bytes] - 30 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/1022 bytes <-> 4 pkts/351 bytes] + 27 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/TLS][cat: Web/5][12 pkts/1130 bytes <-> 3 pkts/285 bytes] + 28 TCP 192.168.1.34:51280 <-> 157.55.235.146:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1130 bytes <-> 3 pkts/285 bytes] + 29 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][12 pkts/1095 bytes <-> 3 pkts/285 bytes] + 30 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/1022 bytes <-> 4 pkts/351 bytes] 31 TCP 192.168.1.34:51289 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/991 bytes <-> 4 pkts/378 bytes] 32 TCP 192.168.1.34:51272 <-> 157.55.235.152:40029 [proto: 125/Skype][cat: VoIP/10][13 pkts/1006 bytes <-> 4 pkts/361 bytes] - 33 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/1012 bytes <-> 4 pkts/351 bytes] + 33 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/1012 bytes <-> 4 pkts/351 bytes] 34 TCP 192.168.1.34:51235 <-> 65.55.223.45:40009 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][13 pkts/976 bytes <-> 4 pkts/365 bytes] 35 TCP 192.168.1.34:51237 <-> 157.55.130.176:40022 [proto: 125/Skype][cat: VoIP/10][13 pkts/986 bytes <-> 4 pkts/344 bytes] 36 TCP 192.168.1.34:51276 <-> 157.55.235.146:40021 [proto: 125/Skype][cat: VoIP/10][13 pkts/981 bytes <-> 4 pkts/348 bytes] @@ -61,16 +61,16 @@ JA3 Host Stats: 41 TCP 192.168.1.34:51246 <-> 157.56.52.44:40020 [proto: 125/Skype][cat: VoIP/10][11 pkts/856 bytes <-> 5 pkts/409 bytes] 42 TCP 192.168.1.34:51288 <-> 76.167.161.6:20274 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/861 bytes <-> 4 pkts/397 bytes] 43 TCP 192.168.1.34:51236 <-> 111.221.74.45:40008 [proto: 125/Skype][cat: VoIP/10][11 pkts/844 bytes <-> 5 pkts/413 bytes] - 44 TCP 192.168.1.34:51282 <-> 64.4.23.159:443 [proto: 91/SSL][cat: Web/5][10 pkts/972 bytes <-> 3 pkts/285 bytes] - 45 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/902 bytes <-> 4 pkts/351 bytes] + 44 TCP 192.168.1.34:51282 <-> 64.4.23.159:443 [proto: 91/TLS][cat: Web/5][10 pkts/972 bytes <-> 3 pkts/285 bytes] + 45 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/902 bytes <-> 4 pkts/351 bytes] 46 TCP 192.168.1.34:51256 <-> 111.221.77.142:40013 [proto: 125/Skype][cat: VoIP/10][11 pkts/815 bytes <-> 5 pkts/423 bytes] 47 TCP 192.168.1.34:51291 <-> 81.83.77.141:17639 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/942 bytes <-> 3 pkts/284 bytes] 48 TCP 192.168.1.34:51278 <-> 64.4.23.159:40009 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/832 bytes <-> 4 pkts/387 bytes] - 49 TCP 192.168.1.34:51268 <-> 111.221.74.18:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/852 bytes <-> 4 pkts/351 bytes] + 49 TCP 192.168.1.34:51268 <-> 111.221.74.18:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/852 bytes <-> 4 pkts/351 bytes] 50 TCP 192.168.1.34:51309 <-> 149.13.32.15:13392 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/916 bytes <-> 3 pkts/281 bytes] 51 TCP 192.168.1.34:51316 <-> 149.13.32.15:13392 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/862 bytes <-> 3 pkts/314 bytes] 52 TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][cat: VoIP/10][10 pkts/785 bytes <-> 4 pkts/378 bytes] - 53 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/285 bytes] + 53 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][10 pkts/872 bytes <-> 3 pkts/285 bytes] 54 TCP 192.168.1.34:51298 <-> 82.224.110.241:38895 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/931 bytes <-> 2 pkts/219 bytes] 55 TCP 192.168.1.34:51313 <-> 212.161.8.36:13392 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/855 bytes <-> 3 pkts/287 bytes] 56 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][cat: System/18][6 pkts/958 bytes <-> 2 pkts/184 bytes][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)] @@ -93,7 +93,7 @@ JA3 Host Stats: 73 UDP 192.168.1.34:61095 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net][PLAIN TEXT (skypedata)] 74 UDP 192.168.1.34:60413 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] 75 UDP 192.168.1.34:64364 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] - 76 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][6 pkts/353 bytes <-> 4 pkts/246 bytes] + 76 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][6 pkts/353 bytes <-> 4 pkts/246 bytes] 77 UDP 192.168.1.34:63514 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][8 pkts/576 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] 78 UDP 192.168.1.34:55028 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: a.config.skype.com][PLAIN TEXT (config)] 79 UDP 192.168.1.34:63342 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com][PLAIN TEXT (config)] @@ -104,12 +104,12 @@ JA3 Host Stats: 84 UDP 192.168.1.34:49864 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] 85 UDP 192.168.1.34:64240 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] 86 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/293 bytes <-> 3 pkts/186 bytes] - 87 TCP 192.168.1.34:51308 -> 80.121.84.93:443 [proto: 91/SSL][cat: Web/5][6 pkts/468 bytes -> 0 pkts/0 bytes] + 87 TCP 192.168.1.34:51308 -> 80.121.84.93:443 [proto: 91/TLS][cat: Web/5][6 pkts/468 bytes -> 0 pkts/0 bytes] 88 UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/452 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EBEMEJEDEFEHEBFEEFCACACACACACA)] 89 UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][2 pkts/432 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EMFFEDEBFDENEBEDECEPEPELFAFCEP)] 90 TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/237 bytes <-> 3 pkts/186 bytes] 91 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes] - 92 TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes] + 92 TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes] 93 UDP 192.168.1.34:58061 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][2 pkts/349 bytes -> 0 pkts/0 bytes][PLAIN TEXT (SEARCH )] 94 UDP 192.168.1.34:59237 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][2 pkts/349 bytes -> 0 pkts/0 bytes][PLAIN TEXT (SEARCH )] 95 ICMP 192.168.1.1:0 -> 192.168.1.34:0 [proto: 81/ICMP][cat: Network/14][4 pkts/328 bytes -> 0 pkts/0 bytes] @@ -118,7 +118,7 @@ JA3 Host Stats: 98 UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/101 bytes <-> 1 pkts/166 bytes][Host: db3msgr5011709.gateway.messenger.live.com][PLAIN TEXT (MSGR5011709)] 99 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes] 100 UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/216 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EMFFEDEBFDCNEJENEBEDCACACACACA)] - 101 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][2 pkts/132 bytes <-> 1 pkts/74 bytes] + 101 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][2 pkts/132 bytes <-> 1 pkts/74 bytes] 102 UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)] 103 UDP 192.168.1.34:63661 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net][PLAIN TEXT (akamaiedge)] 104 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/142 bytes -> 0 pkts/0 bytes][Lucas-iMac.local] diff --git a/tests/result/smbv1.pcap.out b/tests/result/smbv1.pcap.out new file mode 100644 index 000000000..d6a2183d9 --- /dev/null +++ b/tests/result/smbv1.pcap.out @@ -0,0 +1,3 @@ +SMBv1 7 1197 1 + + 1 TCP 172.16.156.130:50927 <-> 10.128.0.243:445 [proto: 16/SMBv1][cat: System/18][4 pkts/669 bytes <-> 3 pkts/528 bytes][PLAIN TEXT (PC NETWORK PROGRAM 1.0)] diff --git a/tests/result/snapchat.pcap.out b/tests/result/snapchat.pcap.out index c102086fb..50f3bb6d3 100644 --- a/tests/result/snapchat.pcap.out +++ b/tests/result/snapchat.pcap.out @@ -6,6 +6,6 @@ JA3 Host Stats: 1 10.8.0.1 2 - 1 TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][cat: SocialNetwork/6][9 pkts/2290 bytes <-> 8 pkts/1653 bytes][TLSv1.2][JA3C: fded31ac9b978e56ce306f8056092f2a][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][cat: SocialNetwork/6][9 pkts/2345 bytes <-> 8 pkts/1032 bytes][TLSv1.2][JA3C: fded31ac9b978e56ce306f8056092f2a][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 10.8.0.1:33233 <-> 74.125.136.141:443 [proto: 91.126/SSL.Google][cat: Web/5][11 pkts/1910 bytes <-> 11 pkts/969 bytes][TLSv1.2][JA3C: 36e9ceaa96dd810482573844f78a063f][JA3S: fbe78c619e7ea20046131294ad087f05][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 91.199/TLS.Snapchat][cat: SocialNetwork/6][9 pkts/2290 bytes <-> 8 pkts/1653 bytes][TLSv1.2][client: feelinsonice-hrd.appspot.com][JA3C: fded31ac9b978e56ce306f8056092f2a][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 91.199/TLS.Snapchat][cat: SocialNetwork/6][9 pkts/2345 bytes <-> 8 pkts/1032 bytes][TLSv1.2][client: feelinsonice-hrd.appspot.com][JA3C: fded31ac9b978e56ce306f8056092f2a][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 10.8.0.1:33233 <-> 74.125.136.141:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1910 bytes <-> 11 pkts/969 bytes][TLSv1.2][JA3C: 36e9ceaa96dd810482573844f78a063f][JA3S: fbe78c619e7ea20046131294ad087f05][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 3a8bdebfa..79367d46b 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -3,7 +3,7 @@ HTTP 450 294880 19 SSDP 11 4984 1 WorldOfWarcraft 9 880 1 IGMP 2 120 1 -SSL 38 2548 11 +TLS 38 2548 11 Google 22 2184 5 Github 3 234 1 Starcraft 236 51494 6 @@ -38,25 +38,25 @@ Starcraft 236 51494 6 28 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7.7/HTTP][cat: Web/5][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net][PLAIN TEXT (GET /cms/bnet)] 29 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7.7/HTTP][cat: Web/5][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net][PLAIN TEXT (GET /cms/bnet)] 30 UDP 192.168.1.100:53145 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/152 bytes <-> 2 pkts/184 bytes][Host: nydus.battle.net][PLAIN TEXT (battle)] - 31 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 32 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 33 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 34 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 35 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 36 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 37 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 38 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 39 TCP 192.30.252.91:443 <-> 192.168.1.100:3213 [proto: 91.203/SSL.Github][cat: Collaborative/15][2 pkts/145 bytes <-> 1 pkts/89 bytes] - 40 TCP 192.168.1.100:3486 <-> 199.38.164.156:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/120 bytes] + 31 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 32 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 33 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 34 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 35 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 36 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 37 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 38 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 39 TCP 192.30.252.91:443 <-> 192.168.1.100:3213 [proto: 91.203/TLS.Github][cat: Collaborative/15][2 pkts/145 bytes <-> 1 pkts/89 bytes] + 40 TCP 192.168.1.100:3486 <-> 199.38.164.156:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/120 bytes] 41 UDP 192.168.1.100:58844 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][1 pkts/86 bytes <-> 1 pkts/124 bytes][Host: 40.186.239.80.in-addr.arpa][PLAIN TEXT (attens)] - 42 TCP 192.168.1.100:3484 <-> 173.194.113.224:443 [proto: 91.126/SSL.Google][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/60 bytes] + 42 TCP 192.168.1.100:3484 <-> 173.194.113.224:443 [proto: 91.126/TLS.Google][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/60 bytes] 43 TCP 192.168.1.100:2759 <-> 64.233.184.188:5228 [proto: 126/Google][cat: Web/5][1 pkts/55 bytes <-> 1 pkts/66 bytes] - 44 TCP 192.168.1.100:3052 <-> 216.58.212.110:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/55 bytes <-> 1 pkts/66 bytes] + 44 TCP 192.168.1.100:3052 <-> 216.58.212.110:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/55 bytes <-> 1 pkts/66 bytes] 45 IGMP 192.168.1.107:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][2 pkts/120 bytes -> 0 pkts/0 bytes] 46 UDP 192.168.1.100:53146 <-> 5.42.180.154:1119 [proto: 213/Starcraft][cat: Game/8][1 pkts/44 bytes <-> 1 pkts/60 bytes] 47 UDP 192.168.1.100:53146 <-> 62.115.246.51:1119 [proto: 213/Starcraft][cat: Game/8][1 pkts/44 bytes <-> 1 pkts/60 bytes] 48 UDP 192.168.1.100:6113 <-> 213.248.127.166:1119 [proto: 213/Starcraft][cat: Game/8][1 pkts/43 bytes <-> 1 pkts/60 bytes] 49 UDP 192.168.1.100:6113 <-> 213.248.127.212:1119 [proto: 213/Starcraft][cat: Game/8][1 pkts/43 bytes <-> 1 pkts/60 bytes] 50 TCP 192.168.1.100:3534 -> 2.228.46.112:80 [proto: 7/HTTP][cat: Web/5][1 pkts/66 bytes -> 0 pkts/0 bytes] - 51 TCP 80.239.186.26:443 -> 192.168.1.100:3476 [proto: 91/SSL][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes] - 52 TCP 80.239.186.40:443 -> 192.168.1.100:3478 [proto: 91/SSL][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes] + 51 TCP 80.239.186.26:443 -> 192.168.1.100:3476 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes] + 52 TCP 80.239.186.40:443 -> 192.168.1.100:3478 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out index 87d796bca..601cacc4c 100644 --- a/tests/result/tor.pcap.out +++ b/tests/result/tor.pcap.out @@ -1,17 +1,22 @@ NetBIOS 1 252 1 -SSL 1 60 1 +TLS 1 60 1 DHCPV6 6 906 1 Dropbox 10 1860 1 Tor 3676 3014362 7 - 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 163/Tor][cat: VPN/2][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes][PLAIN TEXT (id.com)] - 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][PLAIN TEXT (cyamnc6)] - 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][cat: VPN/2][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][PLAIN TEXT (www.ct7)] - 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 163/Tor][cat: VPN/2][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][PLAIN TEXT (www.gfu)] - 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][cat: VPN/2][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][PLAIN TEXT (57kbafwrx)] - 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][cat: VPN/2][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][PLAIN TEXT (ru.com)] - 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][PLAIN TEXT (sieb.com)] +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.252 1 + + + 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 163/Tor][cat: VPN/2][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes][TLSv1][client: www.jmts2id.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][server: www.gg562izcxdvqdk.com][JA3S: e1691a31bfe345d2692da75636ddfb00][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (id.com)] + 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][TLSv1][client: www.q4cyamnc6mtokjurvdclt.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (cyamnc6)] + 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][cat: VPN/2][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][TLSv1][client: www.ct7ctrgb6cr7.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (www.ct7)] + 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 163/Tor][cat: VPN/2][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][TLSv1][client: www.gfu7hbxpfp.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][server: www.xkgk7fdx362yyyxib.com][JA3S: 184d532a16876b78846ae6a03f654890][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA][PLAIN TEXT (www.gfu)] + 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][cat: VPN/2][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][TLSv1][client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (57kbafwrx)] + 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][cat: VPN/2][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][TLSv1][client: www.t3i3ru.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (ru.com)] + 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][TLSv1][client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (sieb.com)] 8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 676879976)] 9 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][6 pkts/906 bytes -> 0 pkts/0 bytes][PLAIN TEXT (Endian)] 10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)] - 11 TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/SSL][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes] + 11 TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out index 32dc468e5..f14526bca 100644 --- a/tests/result/viber.pcap.out +++ b/tests/result/viber.pcap.out @@ -1,7 +1,7 @@ DNS 8 1267 4 MDNS 4 412 1 ICMP 2 3028 1 -SSL 12 824 2 +TLS 12 824 2 ICMPV6 2 140 1 Facebook 2 281 1 Google 32 9133 3 @@ -14,20 +14,20 @@ JA3 Host Stats: 1 192.168.0.17 2 - 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/SSL.Viber][cat: VoIP/10][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][organization: Viber Media Sarl][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/SSL.Viber][cat: VoIP/10][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][organization: Viber Media Sarl][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/SSL.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/TLS.Viber][cat: VoIP/10][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][TLSv1.2][client: dl-media.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][organization: Viber Media Sarl][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/TLS.Viber][cat: VoIP/10][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][TLSv1.2][client: media.cdn.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][organization: Viber Media Sarl][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][TLSv1.2][client: brahe.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: VoIP/10][32 pkts/6563 bytes <-> 26 pkts/2782 bytes] - 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][TLSv1.2][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91.137/SSL.GenericProtocol][cat: Media/1][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: y.ssl.fastly.net][JA3S: 860fcf58fd757e26aa8911e5eaff6b53][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/TLS.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][TLSv1.2][client: app-measurement.com][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][TLSv1.2][client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91.137/TLS.GenericProtocol][cat: Media/1][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][TLSv1.2][client: venetia.iad.appboy.com][JA3C: d8c87b9bfde38897979e41242626c2f3][server: y.ssl.fastly.net][JA3S: 860fcf58fd757e26aa8911e5eaff6b53][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][TLSv1.2][client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 9 UDP 192.168.0.17:47171 <-> 18.201.4.32:7985 [proto: 144/Viber][cat: VoIP/10][24 pkts/5035 bytes <-> 22 pkts/2302 bytes][PLAIN TEXT (Android)] 10 UDP 192.168.0.17:38190 <-> 18.201.4.3:7985 [proto: 144/Viber][cat: VoIP/10][25 pkts/4344 bytes <-> 18 pkts/1872 bytes][PLAIN TEXT (Android)] 11 ICMP 192.168.0.17:0 <-> 192.168.0.15:0 [proto: 81/ICMP][cat: Network/14][1 pkts/1514 bytes <-> 1 pkts/1514 bytes][PLAIN TEXT (1234567890ABCDEFGHIJKLMNOPQ)] 12 UDP 192.168.0.17:62872 <-> 192.168.0.15:53 [proto: 5/DNS][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/373 bytes][Host: mapi.apptimize.com][PLAIN TEXT (apptimize)] - 13 TCP 192.168.0.17:33744 <-> 18.201.4.3:443 [proto: 91/SSL][cat: Web/5][4 pkts/272 bytes <-> 2 pkts/140 bytes] - 14 TCP 192.168.0.17:45424 <-> 18.201.4.32:443 [proto: 91/SSL][cat: Web/5][4 pkts/272 bytes <-> 2 pkts/140 bytes] + 13 TCP 192.168.0.17:33744 <-> 18.201.4.3:443 [proto: 91/TLS][cat: Web/5][4 pkts/272 bytes <-> 2 pkts/140 bytes] + 14 TCP 192.168.0.17:45424 <-> 18.201.4.32:443 [proto: 91/TLS][cat: Web/5][4 pkts/272 bytes <-> 2 pkts/140 bytes] 15 UDP 192.168.0.17:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][4 pkts/412 bytes -> 0 pkts/0 bytes][PLAIN TEXT (805741C)] 16 UDP 192.168.0.17:35283 <-> 192.168.0.15:53 [proto: 5/DNS][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/303 bytes][Host: app.adjust.com][PLAIN TEXT (adjust)] 17 UDP 192.168.0.17:45743 <-> 192.168.0.15:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/78 bytes <-> 1 pkts/203 bytes][Host: graph.facebook.com][PLAIN TEXT (facebook)] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index 949d4bba4..796571eb3 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -1,7 +1,7 @@ Unknown 10 786 1 HTTP 65 64777 8 NTP 2 180 1 -SSL 8 432 2 +TLS 8 432 2 Google 13 2142 1 Waze 484 289335 19 WhatsApp 15 1341 1 @@ -11,21 +11,21 @@ JA3 Host Stats: 1 10.8.0.1 2 - 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][cat: Web/5][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Host: xtra1.gpsonextra.net][PLAIN TEXT (GET /xtra)] - 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 14 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Host: roadshields.waze.com][PLAIN TEXT (GET /images/HD/CH)] - 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 91.126/SSL.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 23f1f6e2f0015c166df49fdab4280370 (INSECURE)][Cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA] + 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 91.126/TLS.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 23f1f6e2f0015c166df49fdab4280370 (INSECURE)][Cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA] 16 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][8 pkts/594 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com][PLAIN TEXT (GET /lang)] 17 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 142/WhatsApp][cat: Chat/9][8 pkts/673 bytes <-> 7 pkts/668 bytes][PLAIN TEXT (Android)] 18 TCP 10.8.0.1:45546 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/557 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com][PLAIN TEXT (GET /newV)] @@ -38,9 +38,9 @@ JA3 Host Stats: 25 TCP 10.16.37.157:46473 <-> 200.160.4.49:80 [proto: 7/HTTP][cat: Web/5][2 pkts/120 bytes <-> 2 pkts/108 bytes] 26 TCP 10.16.37.157:52746 <-> 200.160.4.49:80 [proto: 7/HTTP][cat: Web/5][2 pkts/120 bytes <-> 2 pkts/108 bytes] 27 TCP 10.16.37.157:52953 <-> 200.160.4.49:80 [proto: 7/HTTP][cat: Web/5][2 pkts/120 bytes <-> 2 pkts/108 bytes] - 28 TCP 10.8.0.1:43089 <-> 200.160.4.198:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] + 28 TCP 10.8.0.1:43089 <-> 200.160.4.198:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] 29 TCP 10.8.0.1:45169 <-> 200.160.4.198:80 [proto: 7/HTTP][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] - 30 TCP 10.8.0.1:60479 <-> 200.160.4.49:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] + 30 TCP 10.8.0.1:60479 <-> 200.160.4.49:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] 31 TCP 10.8.0.1:60574 <-> 200.160.4.49:80 [proto: 7/HTTP][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] 32 UDP 10.8.0.1:46214 <-> 200.89.75.198:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index 845ef39ef..bd80b8122 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -1,5 +1,5 @@ HTTP 22 3182 2 -SSL 106 11841 8 +TLS 106 11841 8 SIP 22 15356 1 Google 17 6375 1 Webex 1380 818407 43 @@ -10,60 +10,60 @@ JA3 Host Stats: 1 10.8.0.1 6 - 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][server: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][organization: Cisco Systems, Inc.][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][TLSv1.2][client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][TLSv1.2][client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][server: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][organization: Cisco Systems, Inc.][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 8 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][cat: VoIP/10][22 pkts/15356 bytes -> 0 pkts/0 bytes][PLAIN TEXT (REGISTER sip)] - 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/SSL.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][TLSv1.2][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][server: *.google-analytics.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][organization: Google Inc][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 33 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 34 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][TLSv1][client: api.crittercism.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][TLSv1.2][client: ssl.google-analytics.com][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][server: *.google-analytics.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][organization: Google Inc][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 33 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 34 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 35 TCP 10.8.0.1:59756 <-> 78.46.237.91:80 [proto: 7/HTTP][cat: Web/5][6 pkts/970 bytes <-> 6 pkts/821 bytes][Host: cp.pushwoosh.com][PLAIN TEXT (POST /j)] - 36 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][7 pkts/1280 bytes <-> 6 pkts/453 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 36 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][7 pkts/1280 bytes <-> 6 pkts/453 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 37 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][cat: Web/5][5 pkts/624 bytes <-> 5 pkts/767 bytes][Host: cp.pushwoosh.com][PLAIN TEXT (POST /j)] 38 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 141/Webex][cat: VoIP/10][14 pkts/1071 bytes <-> 2 pkts/100 bytes] - 39 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/614 bytes <-> 5 pkts/399 bytes][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 40 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][5 pkts/560 bytes <-> 4 pkts/345 bytes][TLSv1.2][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 41 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/501 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 42 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 43 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 44 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 45 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 46 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 47 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 48 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 49 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][4 pkts/452 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333] - 50 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6] - 51 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6] - 52 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/299 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 53 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][3 pkts/245 bytes <-> 2 pkts/108 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] - 54 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][3 pkts/209 bytes <-> 2 pkts/108 bytes] - 55 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][2 pkts/128 bytes <-> 1 pkts/54 bytes] - 56 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/SSL][cat: Web/5][1 pkts/66 bytes <-> 2 pkts/108 bytes] - 57 TCP 10.133.206.47:59447 <-> 107.20.242.44:443 [proto: 91.178/SSL.Amazon][cat: Web/5][1 pkts/66 bytes <-> 2 pkts/108 bytes] + 39 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/614 bytes <-> 5 pkts/399 bytes][TLSv1.2][client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 40 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][5 pkts/560 bytes <-> 4 pkts/345 bytes][TLSv1.2][client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 41 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/501 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 42 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 43 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 44 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 45 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 46 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 47 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 48 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 49 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][4 pkts/452 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333] + 50 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6] + 51 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6] + 52 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][4 pkts/299 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 53 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][3 pkts/245 bytes <-> 2 pkts/108 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 54 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][3 pkts/209 bytes <-> 2 pkts/108 bytes] + 55 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][2 pkts/128 bytes <-> 1 pkts/54 bytes] + 56 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/TLS][cat: Web/5][1 pkts/66 bytes <-> 2 pkts/108 bytes] + 57 TCP 10.133.206.47:59447 <-> 107.20.242.44:443 [proto: 91.178/TLS.Amazon][cat: Web/5][1 pkts/66 bytes <-> 2 pkts/108 bytes] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index 16c97de3a..6eb1fbbc4 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -6,7 +6,7 @@ NetBIOS 12 1579 2 DHCP 1 342 1 QQ 26 9402 2 IGMP 24 1280 4 -SSL 21 1209 3 +TLS 21 1209 3 ICMPV6 4 328 3 Google 113 24811 15 LLMNR 12 944 6 @@ -18,52 +18,52 @@ JA3 Host Stats: 1 192.168.1.103 3 - 1 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 64.197/SSL_No_Cert.WeChat][cat: SocialNetwork/6][88 pkts/15114 bytes <-> 91 pkts/61842 bytes][PLAIN TEXT (@WPDFg)] - 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][TLSv1.2][JA3C: 550dce18de1bb143e69d6dd9413b8355][server: wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2 (WEAK)][organization: Shenzhen Tencent Computer Systems Company Limited][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384] - 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/SSL.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][TLSv1.2][JA3C: d551fafc4f40f1dec2bb45980bfa9492][server: *.googleusercontent.com][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][organization: Google Inc][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] + 1 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 64.197/TLS_No_Cert.WeChat][cat: SocialNetwork/6][88 pkts/15114 bytes <-> 91 pkts/61842 bytes][PLAIN TEXT (@WPDFg)] + 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/TLS.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][TLSv1.2][client: res.wx.qq.com][JA3C: 550dce18de1bb143e69d6dd9413b8355][server: wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2 (WEAK)][organization: Shenzhen Tencent Computer Systems Company Limited][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384] + 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/TLS.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][TLSv1.2][client: safebrowsing.googleusercontent.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][server: *.googleusercontent.com][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][organization: Google Inc][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] 23 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Host: ssl.gstatic.com][PLAIN TEXT (ssl.gstatic.com)] - 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.241/QUIC.GoogleDocs][cat: Media/1][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Host: docs.google.com][PLAIN TEXT (docs.google.comr)] - 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][9 pkts/966 bytes <-> 6 pkts/3571 bytes][TLSv1.2][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.241/QUIC.GoogleDocs][cat: Collaborative/15][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Host: docs.google.com][PLAIN TEXT (docs.google.comr)] + 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][9 pkts/966 bytes <-> 6 pkts/3571 bytes][TLSv1.2][client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][organization: Tencent Mobility Limited][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 32 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/4488 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] 33 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Host: ssl.gstatic.com][PLAIN TEXT (ssl.gstatic.com)] 34 UDP 192.168.1.103:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/3608 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] - 35 TCP 192.168.1.103:54183 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][2 pkts/2508 bytes -> 0 pkts/0 bytes][PLAIN TEXT (G@aRkU)] + 35 TCP 192.168.1.103:54183 -> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][2 pkts/2508 bytes -> 0 pkts/0 bytes][PLAIN TEXT (G@aRkU)] 36 UDP [fe80::91f9:3df3:7436:6cd6]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][14 pkts/1428 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] 37 TCP 192.168.1.103:36017 <-> 64.233.167.188:5228 [proto: 126/Google][cat: Web/5][10 pkts/660 bytes <-> 10 pkts/660 bytes] 38 UDP 192.168.1.100:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][14 pkts/1148 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] - 39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][13 pkts/866 bytes <-> 4 pkts/280 bytes] - 40 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/SSL.Google][cat: Web/5][3 pkts/1078 bytes -> 0 pkts/0 bytes] - 41 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][3 pkts/802 bytes <-> 3 pkts/198 bytes] + 39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][13 pkts/866 bytes <-> 4 pkts/280 bytes] + 40 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/TLS.Google][cat: Web/5][3 pkts/1078 bytes -> 0 pkts/0 bytes] + 41 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][3 pkts/802 bytes <-> 3 pkts/198 bytes] 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)] 43 IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][15 pkts/810 bytes -> 0 pkts/0 bytes] 44 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][3 pkts/751 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)] - 45 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 4 pkts/280 bytes] - 46 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 4 pkts/280 bytes] + 45 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 4 pkts/280 bytes] + 46 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 4 pkts/280 bytes] 47 UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5.48/DNS.QQ][cat: Chat/9][1 pkts/73 bytes <-> 1 pkts/537 bytes][Host: res.wx.qq.com] 48 TCP 192.168.1.103:34981 -> 95.101.34.33:80 [proto: 7/HTTP][cat: Web/5][9 pkts/594 bytes -> 0 pkts/0 bytes] 49 TCP 192.168.1.103:34996 -> 95.101.34.33:80 [proto: 7/HTTP][cat: Web/5][9 pkts/594 bytes -> 0 pkts/0 bytes] @@ -71,27 +71,27 @@ JA3 Host Stats: 51 TCP 192.168.1.103:35000 -> 95.101.34.33:80 [proto: 7/HTTP][cat: Web/5][9 pkts/594 bytes -> 0 pkts/0 bytes] 52 TCP 192.168.1.103:39207 -> 95.101.34.34:80 [proto: 7/HTTP][cat: Web/5][9 pkts/594 bytes -> 0 pkts/0 bytes] 53 TCP 192.168.1.103:39231 -> 95.101.34.34:80 [proto: 7/HTTP][cat: Web/5][9 pkts/594 bytes -> 0 pkts/0 bytes][PLAIN TEXT (PLTbOhOof)] - 54 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][cat: Web/5][4 pkts/264 bytes <-> 4 pkts/319 bytes][PLAIN TEXT (lMRov.)] - 55 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 3 pkts/214 bytes] - 56 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 3 pkts/214 bytes] + 54 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91.126/TLS.Google][cat: Web/5][4 pkts/264 bytes <-> 4 pkts/319 bytes][PLAIN TEXT (lMRov.)] + 55 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 3 pkts/214 bytes] + 56 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][5 pkts/338 bytes <-> 3 pkts/214 bytes] 57 TCP 192.168.1.103:39195 -> 95.101.34.34:80 [proto: 7/HTTP][cat: Web/5][8 pkts/528 bytes -> 0 pkts/0 bytes] 58 TCP 192.168.1.103:52020 -> 95.101.180.179:80 [proto: 7/HTTP][cat: Web/5][8 pkts/528 bytes -> 0 pkts/0 bytes] - 59 TCP 192.168.1.103:43851 <-> 203.205.158.34:443 [proto: 91/SSL][cat: Web/5][5 pkts/290 bytes <-> 4 pkts/234 bytes] - 60 TCP 192.168.1.103:47627 <-> 216.58.205.78:443 [proto: 91.126/SSL.Google][cat: Web/5][3 pkts/198 bytes <-> 4 pkts/319 bytes] - 61 TCP 192.168.1.103:40740 <-> 203.205.151.211:443 [proto: 91/SSL][cat: Web/5][4 pkts/216 bytes <-> 4 pkts/253 bytes] + 59 TCP 192.168.1.103:43851 <-> 203.205.158.34:443 [proto: 91/TLS][cat: Web/5][5 pkts/290 bytes <-> 4 pkts/234 bytes] + 60 TCP 192.168.1.103:47627 <-> 216.58.205.78:443 [proto: 91.126/TLS.Google][cat: Web/5][3 pkts/198 bytes <-> 4 pkts/319 bytes] + 61 TCP 192.168.1.103:40740 <-> 203.205.151.211:443 [proto: 91/TLS][cat: Web/5][4 pkts/216 bytes <-> 4 pkts/253 bytes] 62 UDP 192.168.1.103:60356 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][1 pkts/74 bytes <-> 1 pkts/391 bytes][Host: web.wechat.com][PLAIN TEXT (wechat)] - 63 TCP 192.168.1.103:49787 <-> 216.58.205.142:443 [proto: 91.126/SSL.Google][cat: Web/5][3 pkts/198 bytes <-> 3 pkts/198 bytes] - 64 TCP 192.168.1.103:58226 -> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][6 pkts/396 bytes -> 0 pkts/0 bytes] + 63 TCP 192.168.1.103:49787 <-> 216.58.205.142:443 [proto: 91.126/TLS.Google][cat: Web/5][3 pkts/198 bytes <-> 3 pkts/198 bytes] + 64 TCP 192.168.1.103:58226 -> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][6 pkts/396 bytes -> 0 pkts/0 bytes] 65 UDP 192.168.1.103:53734 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/94 bytes <-> 1 pkts/272 bytes][Host: safebrowsing.googleusercontent.com][PLAIN TEXT (safebrowsing)] - 66 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][3 pkts/206 bytes <-> 2 pkts/148 bytes] + 66 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][3 pkts/206 bytes <-> 2 pkts/148 bytes] 67 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: iphonedimonica][DHCP Fingerprint: 1,121,3,6,15,119,252][PLAIN TEXT (iPhonediMonica)] 68 UDP 192.168.1.103:46078 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com][PLAIN TEXT (gstatic)] 69 UDP 192.168.1.103:60562 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com][PLAIN TEXT (gstatic)] - 70 UDP 192.168.1.103:55862 <-> 192.168.1.254:53 [proto: 5.241/DNS.GoogleDocs][cat: Media/1][1 pkts/75 bytes <-> 1 pkts/227 bytes][Host: docs.google.com][PLAIN TEXT (google)] + 70 UDP 192.168.1.103:55862 <-> 192.168.1.254:53 [proto: 5.241/DNS.GoogleDocs][cat: Collaborative/15][1 pkts/75 bytes <-> 1 pkts/227 bytes][Host: docs.google.com][PLAIN TEXT (google)] 71 IGMP 192.168.1.103:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][4 pkts/216 bytes -> 0 pkts/0 bytes] - 72 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] + 72 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes] 73 IGMP 192.168.1.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][cat: Network/14][4 pkts/200 bytes -> 0 pkts/0 bytes] - 74 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 74 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][2 pkts/132 bytes <-> 1 pkts/66 bytes] 75 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz][PLAIN TEXT (lbjamwptx)] 76 UDP [fe80::91f9:3df3:7436:6cd6]:49195 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: cansaqcq][PLAIN TEXT (cansaqcq)] 77 UDP [fe80::91f9:3df3:7436:6cd6]:50577 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: mcztmpkc][PLAIN TEXT (mcztmpkc)] @@ -105,10 +105,10 @@ JA3 Host Stats: 85 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz][PLAIN TEXT (lbjamwptx)] 86 UDP 192.168.1.100:49832 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: cansaqcq][PLAIN TEXT (cansaqcq)] 87 UDP 192.168.1.100:57401 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: mcztmpkc][PLAIN TEXT (mcztmpkc)] - 88 TCP 192.168.1.103:54106 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][2 pkts/132 bytes -> 0 pkts/0 bytes] - 89 TCP 192.168.1.103:54109 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 90 TCP 192.168.1.103:54110 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 91 TCP 192.168.1.103:54205 -> 64.233.167.188:443 [proto: 91.126/SSL.Google][cat: Web/5][2 pkts/132 bytes -> 0 pkts/0 bytes] + 88 TCP 192.168.1.103:54106 -> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][2 pkts/132 bytes -> 0 pkts/0 bytes] + 89 TCP 192.168.1.103:54109 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 90 TCP 192.168.1.103:54110 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: SocialNetwork/6][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 91 TCP 192.168.1.103:54205 -> 64.233.167.188:443 [proto: 91.126/TLS.Google][cat: Web/5][2 pkts/132 bytes -> 0 pkts/0 bytes] 92 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes] 93 0 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/110 bytes -> 0 pkts/0 bytes] 94 UDP 192.168.1.103:37578 -> 193.204.114.233:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index 4496200f5..6d3d81316 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -1,6 +1,6 @@ DNS 10 1059 5 HTTP 19 2275 5 -SSL 15 1234 10 +TLS 15 1234 10 Google 33 4778 7 Amazon 2 132 1 Sina(Weibo) 419 258077 16 @@ -22,7 +22,7 @@ JA3 Host Stats: 10 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][cat: Web/5][5 pkts/736 bytes <-> 4 pkts/863 bytes][Host: weibo.com][PLAIN TEXT (GET /login.php)] 11 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/604 bytes <-> 2 pkts/140 bytes][Host: js.t.sinajs.cn][PLAIN TEXT (KGET /t)] 12 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/610 bytes <-> 1 pkts/66 bytes][Host: u1.img.mobile.sina.cn][PLAIN TEXT (GET /public/files/image/620)] - 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/SSL][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][TLSv1][JA3C: 58e7f64db6e4fe4941dd9691d421196c][PLAIN TEXT (g.alicdn.com)] + 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][TLSv1][client: g.alicdn.com][JA3C: 58e7f64db6e4fe4941dd9691d421196c][PLAIN TEXT (g.alicdn.com)] 14 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/75 bytes <-> 1 pkts/191 bytes][Host: img.t.sinajs.cn] 15 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/74 bytes <-> 1 pkts/190 bytes][Host: js.t.sinajs.cn] 16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/171 bytes][Host: g.alicdn.com][PLAIN TEXT (alicdn)] @@ -31,26 +31,26 @@ JA3 Host Stats: 19 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/77 bytes <-> 1 pkts/157 bytes][Host: acjstb.aliyun.com][PLAIN TEXT (alibabadns)] 20 UDP 192.168.1.105:7148 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/73 bytes <-> 1 pkts/142 bytes][Host: www.weibo.com] 21 TCP 192.168.1.105:35808 <-> 93.188.134.246:80 [proto: 7/HTTP][cat: Web/5][2 pkts/140 bytes <-> 1 pkts/74 bytes] - 22 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/SSL][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/66 bytes] + 22 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/66 bytes] 23 TCP 192.168.1.105:59120 <-> 114.134.80.162:80 [proto: 7/HTTP][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/66 bytes] 24 TCP 192.168.1.105:59121 <-> 114.134.80.162:80 [proto: 7/HTTP][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/66 bytes] 25 UDP 192.168.1.105:53466 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/112 bytes][Host: log.mmstat.com][PLAIN TEXT (mmstat)] 26 UDP 192.168.1.105:54988 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/69 bytes <-> 1 pkts/85 bytes][Host: weibo.com] - 27 TCP 192.168.1.105:34699 <-> 216.58.212.65:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 28 TCP 192.168.1.105:35154 <-> 216.58.210.206:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 29 TCP 192.168.1.105:37802 <-> 216.58.212.69:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 30 TCP 192.168.1.105:40440 <-> 54.225.163.210:443 [proto: 91.178/SSL.Amazon][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 31 TCP 192.168.1.105:58480 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 32 TCP 192.168.1.105:58481 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 27 TCP 192.168.1.105:34699 <-> 216.58.212.65:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 28 TCP 192.168.1.105:35154 <-> 216.58.210.206:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 29 TCP 192.168.1.105:37802 <-> 216.58.212.69:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 30 TCP 192.168.1.105:40440 <-> 54.225.163.210:443 [proto: 91.178/TLS.Amazon][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 31 TCP 192.168.1.105:58480 <-> 216.58.214.78:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 32 TCP 192.168.1.105:58481 <-> 216.58.214.78:443 [proto: 91.126/TLS.Google][cat: Web/5][1 pkts/66 bytes <-> 1 pkts/66 bytes] 33 UDP 192.168.1.105:11798 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: account.weibo.com][PLAIN TEXT (account)] 34 TCP 192.168.1.105:42280 -> 222.73.28.96:80 [proto: 7/HTTP][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 35 TCP 192.168.1.105:47721 -> 140.205.170.63:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 36 TCP 192.168.1.105:47723 -> 140.205.170.63:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 37 TCP 192.168.1.105:48352 -> 140.205.174.1:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 38 TCP 192.168.1.105:48353 -> 140.205.174.1:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 39 TCP 192.168.1.105:48356 -> 140.205.174.1:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 40 TCP 192.168.1.105:52271 -> 42.156.184.19:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 41 TCP 192.168.1.105:52272 -> 42.156.184.19:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] - 42 TCP 192.168.1.105:52274 -> 42.156.184.19:443 [proto: 91/SSL][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 35 TCP 192.168.1.105:47721 -> 140.205.170.63:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 36 TCP 192.168.1.105:47723 -> 140.205.170.63:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 37 TCP 192.168.1.105:48352 -> 140.205.174.1:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 38 TCP 192.168.1.105:48353 -> 140.205.174.1:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 39 TCP 192.168.1.105:48356 -> 140.205.174.1:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 40 TCP 192.168.1.105:52271 -> 42.156.184.19:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 41 TCP 192.168.1.105:52272 -> 42.156.184.19:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] + 42 TCP 192.168.1.105:52274 -> 42.156.184.19:443 [proto: 91/TLS][cat: Web/5][1 pkts/74 bytes -> 0 pkts/0 bytes] 43 UDP 192.168.1.105:50533 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/74 bytes -> 0 pkts/0 bytes][Host: data.weibo.com] 44 UDP 192.168.1.105:16804 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: c.weibo.cn] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 6c4676815..ddddd743b 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -3,13 +3,13 @@ MDNS 8 952 4 DHCP 10 3420 1 STUN 27 2322 2 ICMP 10 700 1 -RTP 706 91156 4 -SSL 8 589 2 +RTP 44 7818 2 +TLS 8 589 2 Dropbox 4 2176 1 Apple 190 50263 21 WhatsApp 182 25154 2 Spotify 3 258 1 -WhatsAppVoice 70 9464 14 +WhatsAppVoice 732 92802 16 ApplePush 22 5926 1 JA3 Host Stats: @@ -17,12 +17,12 @@ JA3 Host Stats: 1 192.168.2.4 1 - 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 87/RTP][cat: Media/1][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][PLAIN TEXT (zTdFPOk)] - 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 87/RTP][cat: Media/1][141 pkts/17530 bytes <-> 57 pkts/12888 bytes] + 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][PLAIN TEXT (zTdFPOk)] + 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes] 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][PLAIN TEXT (iPhone)] - 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][organization: Apple Inc.][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][TLSv1.2][client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][TLSv1.2][client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][organization: Apple Inc.][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][TLSv1.2][client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][PLAIN TEXT (yfV.nY)] 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 87/RTP][cat: Media/1][12 pkts/2341 bytes <-> 12 pkts/2484 bytes] 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] @@ -46,7 +46,7 @@ JA3 Host Stats: 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/SSL][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes] + 30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes] 31 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes] 32 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: query.ess.apple.com][PLAIN TEXT (akadns)] 33 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e13.whatsapp.net][PLAIN TEXT (whatsapp)] @@ -57,20 +57,20 @@ JA3 Host Stats: 38 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes] 39 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] 40 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 41 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/SSL][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 42 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 43 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 44 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 45 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 46 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 47 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 48 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 49 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 50 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 51 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 52 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 53 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 54 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 55 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 56 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 57 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 41 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/TLS][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 42 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 43 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 44 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 45 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 46 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 47 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 48 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 49 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 50 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 51 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 52 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 53 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 54 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 55 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 56 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 57 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 442aa26e3..240356883 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -6,7 +6,7 @@ WhatsApp 32 3243 2 Spotify 1 86 1 ApplePush 6 2095 1 - 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes] + 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes] 2 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][cat: Chat/9][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][PLAIN TEXT (iPhone)] 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes] 4 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Host: lucas-imac][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] diff --git a/tests/result/whatsappfiles.pcap.out b/tests/result/whatsappfiles.pcap.out index e69d94801..dd7fca63a 100644 --- a/tests/result/whatsappfiles.pcap.out +++ b/tests/result/whatsappfiles.pcap.out @@ -5,5 +5,5 @@ JA3 Host Stats: 1 192.168.2.29 2 - 1 TCP 192.168.2.29:49698 <-> 185.60.216.53:443 [proto: 91.242/SSL.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][132 pkts/9906 bytes <-> 178 pkts/237405 bytes][TLSv1.2][JA3C: 4e1a414c4f4c99097edd2a9a98e336c8][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/SSL.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][TLSv1.2][JA3C: 107144b88827da5da9ed42d8776ccdc5][server: *.whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.2.29:49698 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][132 pkts/9906 bytes <-> 178 pkts/237405 bytes][TLSv1.2][client: mmg-fna.whatsapp.net][JA3C: 4e1a414c4f4c99097edd2a9a98e336c8][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][TLSv1.2][client: mmg-fna.whatsapp.net][JA3C: 107144b88827da5da9ed42d8776ccdc5][server: *.whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][organization: Facebook, Inc.][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/youtubeupload.pcap.out b/tests/result/youtubeupload.pcap.out index fca3ab7bb..db8d12514 100644 --- a/tests/result/youtubeupload.pcap.out +++ b/tests/result/youtubeupload.pcap.out @@ -7,4 +7,4 @@ JA3 Host Stats: 1 UDP 192.168.2.27:51925 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][80 pkts/100473 bytes <-> 20 pkts/6003 bytes][Host: upload.youtube.com][PLAIN TEXT (upload.youtube.comQ)] 2 UDP 192.168.2.27:62232 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][13 pkts/8651 bytes <-> 11 pkts/6463 bytes][Host: upload.youtube.com][PLAIN TEXT (upload.youtube.comQ)] - 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/SSL.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][TLSv1.2][JA3C: bc6c386f480ee97b9d9e52d472b772d8][server: upload.video.google.com][JA3S: b26c652e0a402a24b5ca2a660e84f9d5][organization: Google Inc][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/TLS.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][TLSv1.2][client: upload.youtube.com][JA3C: bc6c386f480ee97b9d9e52d472b772d8][server: upload.video.google.com][JA3S: b26c652e0a402a24b5ca2a660e84f9d5][organization: Google Inc][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] |