diff options
35 files changed, 399 insertions, 165 deletions
diff --git a/README.protocols b/README.protocols index 27d8c6408..1c77df15b 100644 --- a/README.protocols +++ b/README.protocols @@ -8,7 +8,7 @@ TCP 172.16.253.130:2021 <-> 75.147.140.249:443 [VLAN: 0][proto: 91/SSL][28 pkts/ TCP 172.16.253.130:2077 <-> 77.247.181.163:443 [VLAN: 0][proto: 91/SSL][136 pkts/94329 bytes][SSL client: www.fk4pprq42hsvl2wey.com] It can be detected by analyzing the SSL client certificate and checking the name that does not match to a real host in -addition of begin a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize +addition of being a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize SSL-tunnelled connections. See http://www.netresec.com/?page=Blog&month=2013-04&post=Detecting-TOR-Communication-in-Network-Traffic diff --git a/example/ndpiReader.c b/example/ndpiReader.c index f558d7b0d..deb61b681 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -620,8 +620,8 @@ static void debug_printf(u_int32_t protocol, void *id_struct, static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { NDPI_PROTOCOL_BITMASK all; - struct ndpi_workflow_prefs prefs; + memset(&prefs, 0, sizeof(prefs)); prefs.decode_tunnels = decode_tunnels; prefs.num_roots = NUM_ROOTS; @@ -630,9 +630,13 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { memset(&ndpi_thread_info[thread_id], 0, sizeof(ndpi_thread_info[thread_id])); ndpi_thread_info[thread_id].workflow = ndpi_workflow_init(&prefs, pcap_handle); - /* ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 1; */ - ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); + /* Preferences */ + ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0; + ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 0; + + ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, + on_protocol_discovered, (void *)(uintptr_t)thread_id); // enable all protocols NDPI_BITMASK_SET_ALL(all); @@ -769,7 +773,9 @@ static void printResults(u_int64_t tot_usec) { memset(&cumulative_stats, 0, sizeof(cumulative_stats)); for(thread_id = 0; thread_id < num_threads; thread_id++) { - if(ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) continue; + if((ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) + && (ndpi_thread_info[thread_id].workflow->stats.raw_packet_count == 0)) + continue; for(i=0; i<NUM_ROOTS; i++) ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], node_proto_guess_walker, &thread_id); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 939b3efd0..57a6505e9 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -736,7 +736,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, goto iph_check; } - if((frag_off & 0x3FFF) != 0) { + if((frag_off & 0x1FFF) != 0) { static u_int8_t ipv4_frags_warning_used = 0; workflow->stats.fragmented_count++; diff --git a/packages/homebrew/ndpi.rb b/packages/homebrew/ndpi.rb index d7c17f500..a3ea00458 100644 --- a/packages/homebrew/ndpi.rb +++ b/packages/homebrew/ndpi.rb @@ -1,14 +1,15 @@ class Ndpi < Formula desc "Deep Packet Inspection (DPI) library" homepage "http://www.ntop.org/products/ndpi/" - url "https://downloads.sourceforge.net/project/ntop/nDPI/nDPI-1.7.tar.gz" - sha256 "714b745103a072462130b0e14cf31b2eb5270f580b7c839da5cf5ea75150262d" + url "https://downloads.sourceforge.net/project/ntop/nDPI/nDPI-1.8.tgz" + sha256 "f490137a7387b69d0d55e990f2150b86d7b5eaae870e5326e8c2f18c17412443" bottle do cellar :any - sha256 "e9464d314479ba3e7a91422e0bc606cfd5f6e72e94d6441cc4fa30e9c925da5c" => :yosemite - sha256 "1d6b1d860669b42766baa276ed948c342e2fa4fd28663ba64a90fd0e200ba9c4" => :mavericks - sha256 "b814918b4fb9588de7126061ce4ac3eb41a5c3eee27c7432b669f6dc6921bfde" => :mountain_lion + sha256 "05053767fc3c70557745c348c7352e7c2716c040ca54c5cf8d5306167c878fcb" => :el_capitan + sha256 "34c0269039a0079820eeed862daa28158d9291f73f640a9415da60746d69a662" => :yosemite + sha256 "a2af4dc62c24313593b3a20e45ca9d2d49f8efc0ea5e52fd064001ea441b93e4" => :mavericks + sha256 "1bb200268a4d9df9bbe5d33bc773ee3bcf4b5d4fa00c76a040f16318438c284f" => :mountain_lion end depends_on "autoconf" => :build diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index adc56fc11..58253e9ce 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -274,8 +274,9 @@ #define NDPI_SERVICE_WEIBO 224 #define NDPI_SERVICE_OPENDNS 225 #define NDPI_PROTOCOL_GIT 226 +#define NDPI_PROTOCOL_DRDA 227 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_GIT +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_DRDA #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 04121347f..82d5bdb69 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -195,6 +195,7 @@ void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct n void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -336,4 +337,5 @@ void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index d83fdd5c0..18c195dbe 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -26,6 +26,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/bittorrent.c \ protocols/ciscovpn.c \ protocols/citrix.c \ + protocols/coap.c \ protocols/collectd.c \ protocols/corba.c \ protocols/crossfire.c \ @@ -36,6 +37,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/directdownloadlink.c \ protocols/dns.c \ protocols/dofus.c \ + protocols/drda.c \ protocols/dropbox.c \ protocols/eaq.c \ protocols/edonkey.c \ @@ -45,6 +47,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/florensia.c \ protocols/ftp_control.c \ protocols/ftp_data.c \ + protocols/git.c \ protocols/gnutella.c \ protocols/gtp.c \ protocols/guildwars.c \ @@ -74,6 +77,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/mgcp.c \ protocols/mms.c \ protocols/mpegts.c \ + protocols/mqtt.c \ protocols/msn.c \ protocols/mssql.c \ protocols/mysql.c \ @@ -104,6 +108,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/rtmp.c \ protocols/rtp.c \ protocols/rtsp.c \ + protocols/rx.c \ protocols/sflow.c \ protocols/shoutcast.c \ protocols/sip.c \ @@ -152,9 +157,6 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/yahoo.c \ protocols/zattoo.c \ protocols/zeromq.c \ - protocols/coap.c \ - protocols/mqtt.c \ - protocols/rx.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/node.h \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index ce56b79a6..aa806751b 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7291,6 +7291,7 @@ ndpi_protocol_match host_match[] = { { "googleadservices.", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, { "googleapis.com", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, { "ggpht.com", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, + { "1e100.net", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, { "maps.google.", "GoogleMaps", NDPI_SERVICE_GOOGLE_MAPS, NDPI_PROTOCOL_ACCEPTABLE }, { "maps.gstatic.com", "GoogleMaps", NDPI_SERVICE_GOOGLE_MAPS, NDPI_PROTOCOL_ACCEPTABLE }, { ".gmail.", "GMail", NDPI_SERVICE_GMAIL, NDPI_PROTOCOL_SAFE }, @@ -7541,7 +7542,7 @@ static const char *ndpi_en_bigrams[] = { static const char *ndpi_en_impossible_bigrams[] = { "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", "ee", "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", "jc", "jd", "jf", "jg", "jh", "jk", - "jl", "jm", "jn", "jp", "jq", "jr", "js", "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", + "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", "kz", "lq", "lx", "mg", "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vk", "vm", "vn", "vp", "bw", diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 2c4b491ed..f97a2fffc 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1365,6 +1365,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "QUIC", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DROPBOX, + no_master, + no_master, "Dropbox", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ, no_master, no_master, "EAQ", @@ -1454,43 +1459,43 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHOIS_DAS, no_master, no_master, "Whois-DAS", - ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD, no_master, no_master, "Collectd", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOCKS, no_master, no_master, "SOCKS", - ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TFTP, no_master, no_master, "TFTP", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTMP, no_master, no_master, "RTMP", - ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PANDO, no_master, no_master, "Pando_Media_Booster", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MEGACO, no_master, no_master, "Megaco", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 2944 , 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 2944 , 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_REDIS, no_master, no_master, "Redis", - ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0 , 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0 , 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZMQ, no_master, no_master, "ZeroMQ", @@ -1509,13 +1514,13 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, no_master, no_master, "UBNTAC2", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MS_LYNC, no_master, no_master, "Lync", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VIBER, no_master, no_master, "Viber", @@ -1526,19 +1531,27 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "COAP", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 5683, 5684, 0, 0, 0)); /* UDP */ - ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_MQTT, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MQTT, no_master, no_master, "MQTT", ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0); - ports_b[0].port_low = 7000; - ports_b[0].port_high = 7032; /* See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 */ - ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_RX, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, no_master, no_master, "RX", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ports_b); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GIT, + no_master, + no_master, "Git", + ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DRDA, + no_master, + no_master, "DRDA", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2317,7 +2330,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* SSDP */ init_ssdp_dissector(ndpi_struct, &a, detection_bitmask); -/* WORLD_OF_WARCRAFT */ + /* WORLD_OF_WARCRAFT */ init_world_of_warcraft_dissector(ndpi_struct, &a, detection_bitmask); /* POSTGRES */ @@ -2551,7 +2564,13 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* RX */ init_rx_dissector(ndpi_struct, &a, detection_bitmask); - /* Put false-positive sensitive protocols at the end */ + /* GIT */ + init_git_dissector(ndpi_struct, &a, detection_bitmask); + + /* DRDA */ + init_drda_dissector(ndpi_struct, &a, detection_bitmask); + + /*** Put false-positive sensitive protocols at the end ***/ /* SKYPE */ init_skype_dissector(ndpi_struct, &a, detection_bitmask); @@ -3277,8 +3296,6 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru flow->packet.iphv6 || #endif flow->packet.iph)) { - u_int32_t saddr, daddr; - flow->protocol_id_already_guessed = 1; flow->guessed_protocol_id = (int16_t)ndpi_guess_protocol_id(ndpi_struct, l4_proto, sport, dport); @@ -4470,7 +4487,6 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str u_int8_t is_host_match) { int matching_protocol_id = ndpi_match_string_subprotocol(ndpi_struct, string_to_match, string_to_match_len, is_host_match); struct ndpi_packet_struct *packet = &flow->packet; - AC_TEXT_t ac_input_text; #ifdef DEBUG { @@ -4566,25 +4582,6 @@ char* ndpi_revision() { return(NDPI_GIT_RELEASE); } #ifdef WIN32 -/* - int pthread_mutex_init(pthread_mutex_t *mutex, void *unused) { - unused = NULL; - *mutex = CreateMutex(NULL, FALSE, NULL); - return *mutex == NULL ? -1 : 0; - } - - int pthread_mutex_destroy(pthread_mutex_t *mutex) { - return CloseHandle(*mutex) == 0 ? -1 : 0; - } - - int pthread_mutex_lock(pthread_mutex_t *mutex) { - return WaitForSingleObject(*mutex, INFINITE) == WAIT_OBJECT_0 ? 0 : -1; - } - - int pthread_mutex_unlock(pthread_mutex_t *mutex) { - return ReleaseMutex(*mutex) == 0 ? -1 : 0; - } -*/ /* http://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/port/gettimeofday.c;h=75a91993b74414c0a1c13a2a09ce739cb8aa8a08;hb=HEAD */ int gettimeofday(struct timeval * tp, struct timezone * tzp) { /* FILETIME of Jan 1 1970 00:00:00. */ diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 6ac9ec69a..0eebe07ee 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -53,8 +53,7 @@ static u_int8_t is_utp_pkt(const u_int8_t *payload, u_int payload_len) { static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, int bt_offset, int check_hash, - const u_int8_t save_detection, const u_int8_t encrypted_connection/* , */ - /* ndpi_protocol_type_t protocol_type */) + const u_int8_t save_detection, const u_int8_t encrypted_connection) { if(check_hash) { const char *bt_hash = NULL; /* 20 bytes long */ @@ -92,8 +91,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 19, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION/* , */ - /* NDPI_REAL_PROTOCOL */); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -125,8 +123,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain Bitcomet persistent seed protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION/* , */ - /* NDPI_CORRELATED_PROTOCOL */); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index cddf31b7e..5f8e97863 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -72,7 +72,7 @@ struct ndpi_coap_hdr [164] = "5.04 Gateway Timeout", [165] = "5.05 Proxying Not Supported" **/ - + /** * Entry point when protocol is identified. @@ -84,6 +84,20 @@ static void ndpi_int_coap_add_connection (struct ndpi_detection_module_struct *n } /** + * Check if the default port is acceptable + * + * UDP Port 5683 (mandatory) + * UDP Ports 61616-61631 compressed 6lowPAN + */ +static int isCoAPport(u_int16_t port) { + if((port == 5683) + || ((port >= 61616) && (port <= 61631))) + return(1); + else + return(0); +} + +/** * Dissector function that searches CoAP headers */ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, @@ -91,22 +105,24 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_coap_hdr * h = (struct ndpi_coap_hdr*) packet->payload; - + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } // search for udp packet if(packet->udp != NULL) { - - // header too short - if(packet->payload_packet_len < 4) { - + u_int16_t s_port = ntohs(flow->packet.udp->source); + u_int16_t d_port = ntohs(flow->packet.udp->dest); + + if((!isCoAPport(s_port) && !isCoAPport(s_port)) + || (packet->payload_packet_len < 4) // header too short + ) { NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "excluding Coap\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "calculating coap over udp.\n"); // check values in header @@ -116,21 +132,21 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) || (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Coap found...\n"); ndpi_int_coap_add_connection(ndpi_struct,flow); return; } } } - } + } } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Coap ...\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; - } + /** * Entry point for the ndpi library */ diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c new file mode 100644 index 000000000..9240e8364 --- /dev/null +++ b/src/lib/protocols/drda.c @@ -0,0 +1,106 @@ +/* + * drda.c + * + * Copyright (C) 2012-16 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see <http://www.gnu.org/licenses/>. + * + */ +#include "ndpi_api.h" + +#ifdef NDPI_PROTOCOL_DRDA + +#define DRDA_PORT 50000 + +struct ndpi_drda_hdr { + u_int16_t length; + u_int8_t magic; + u_int8_t format; + u_int16_t correlID; + u_int16_t length2; + u_int16_t code_pnt; +}; + + +void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * packet = &flow->packet; + u_int16_t payload_len = packet->payload_packet_len; + u_int16_t count = 0; + + if(packet->tcp != NULL) { + + /* check port */ + if((ntohs(packet->tcp->source) == DRDA_PORT || + ntohs(packet->tcp->dest) == DRDA_PORT)) { + + struct ndpi_drda_hdr * drda = (struct ndpi_drda_hdr *) packet->payload; + + u_int16_t len = ntohs(drda->length); + + /* check first header */ + if(len - 6 != ntohs(drda->length2) && + drda->magic != 0xd0) + goto no_drda; + + /* check if there are more drda headers */ + if(payload_len > len) { + + count = len; + const u_int8_t * pp = packet->payload + len; + + while(count < payload_len) + { + /* update info */ + drda = (struct ndpi_drda_hdr *) pp; + len = ntohs(drda->length); + + if(len - 6 != ntohs(drda->length2) && + drda->magic != 0xd0) + goto no_drda; + + count += len; + } + if(count != payload_len) goto no_drda; + } + NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "found DRDA.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DRDA, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + + no_drda: + NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "exclude DRDA.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DRDA); +} + + +/* ***************************************************************** */ + + +void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("DRDA", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_DRDA, + ndpi_search_drda, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif /* NDPI_PROTOCOL_DRDA */ diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index f51de95d2..d8babfb1b 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -1,7 +1,7 @@ /* * dropbox.c * - * Copyright (C) 2011-13 by ntop.org + * Copyright (C) 2012-16 by ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -44,7 +44,6 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t payload_len = packet->payload_packet_len; if(packet->udp != NULL) { - u_int16_t dropbox_port = htons(DB_LSP_PORT); if((packet->udp->source == dropbox_port) diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c new file mode 100644 index 000000000..f3e015aef --- /dev/null +++ b/src/lib/protocols/git.c @@ -0,0 +1,83 @@ +/* + * git.c + * + * Copyright (C) 2012-16 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see <http://www.gnu.org/licenses/>. + * + */ +#include <stdlib.h> +#include "ndpi_api.h" + +#ifdef NDPI_PROTOCOL_GIT + +#define GIT_PORT 9418 + +void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * packet = &flow->packet; + + if((packet->tcp != NULL) && (packet->payload_packet_len > 4)) { + if((ntohs(packet->tcp->source) == GIT_PORT) + || (ntohs(packet->tcp->dest) == GIT_PORT)) { + const u_int8_t * pp = packet->payload; + u_int16_t payload_len = packet->payload_packet_len; + u_int8_t found_git = 1; + u_int16_t git_len = 0, offset = 0; + + while((offset+4) < payload_len) { + char len[5]; + u_int32_t git_pkt_len; + + memcpy(&len, &pp[offset], 4), len[4] = 0; + git_pkt_len = atoi(len); + + if(payload_len < git_pkt_len) { + found_git = 0; + break; + } else + offset += git_pkt_len, payload_len -= git_pkt_len; + } + + if(found_git) { + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "found Git.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + } + + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "exclude Git.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GIT); +} + + +/* ***************************************************************** */ + + +void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("Git", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_GIT, + ndpi_search_git, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif /* NDPI_PROTOCOL_GIT */ diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index ac443951b..6e1ad77cc 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -22,7 +22,6 @@ * */ - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_QUIC @@ -38,18 +37,6 @@ static int quic_ports(u_int16_t sport, u_int16_t dport) /* ***************************************************************** */ -static int quic_payload(const u_int8_t *payload) { - if((payload[0] == 'Q') - && isdigit(payload[1]) - && isdigit(payload[2]) - && isdigit(payload[3])) - return(1); - - return(0); -} - -/* ***************************************************************** */ - static int quic_len(u_int8_t l) { switch(l) { case 0: @@ -119,6 +106,12 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, flow->host_server_name[j++] = packet->payload[sni_offset]; sni_offset++, len--; } + + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_QUIC); + } break; diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index 319dd6d4d..9d27d5e18 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -30,7 +30,8 @@ /* See http://web.mit.edu/kolya/afs/rx/rx-spec for procotol description. */ /* The should be no need for explicit packing, but just in case... */ -struct __attribute__((__packed__)) ndpi_rx_header { +PACK_ON +struct ndpi_rx_header { u_int32_t conn_epoch; u_int32_t conn_id; u_int32_t call_number; @@ -42,7 +43,7 @@ struct __attribute__((__packed__)) ndpi_rx_header { u_int8_t security; u_int16_t checksum; u_int16_t service_id; -}; +} PACK_OFF; /* Type values */ #define DATA 1 @@ -108,7 +109,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, **/ /* TYPE field */ - if((header->type < DATA) && (header->type > VERSION)) { + if((header->type < DATA) || (header->type > VERSION)) { NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); return; @@ -170,8 +171,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, security: /* SECURITY field */ - if(header->security != 0 && header->security != 1 && - header->security != 2 && header->security != 3) + if(header->security > 3) { NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c index 9fb2c6483..079d1fbcd 100644 --- a/src/lib/protocols/teredo.c +++ b/src/lib/protocols/teredo.c @@ -29,6 +29,8 @@ void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct struct ndpi_packet_struct *packet = &flow->packet; if(packet->udp + && packet->iph + && ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */) && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) && (packet->payload_packet_len >= 40 /* IPv6 header */)) ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 1a538eefd..2152da328 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -1,7 +1,7 @@ /* * tor.c * - * Copyright (C) 2015 ntop.org + * Copyright (C) 2016 ntop.org * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> * */ @@ -39,10 +39,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, len = strlen(name); - if(len > 6) { + if(len >= 5) { for(i = 0; name[i+1] != '\0'; i++) { + // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); + if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { numbers_found++; diff --git a/tests/pcap/drda_db2.pcap b/tests/pcap/drda_db2.pcap Binary files differnew file mode 100755 index 000000000..e91629e04 --- /dev/null +++ b/tests/pcap/drda_db2.pcap diff --git a/tests/pcap/git.pcap b/tests/pcap/git.pcap Binary files differnew file mode 100644 index 000000000..b32a255ef --- /dev/null +++ b/tests/pcap/git.pcap diff --git a/tests/pcap/tor.pcap b/tests/pcap/tor.pcap Binary files differnew file mode 100644 index 000000000..bf5b43649 --- /dev/null +++ b/tests/pcap/tor.pcap diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index 3e349a331..ee5183ccf 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -2,10 +2,10 @@ Unknown 1 66 1 HTTP 266 245342 7 ICMP 5 510 1 SSL 103 62597 5 -DropBox 5 725 2 +Dropbox 5 725 2 Instagram 363 255094 16 - 1 UDP 192.168.0.106:17500 <-> 192.168.0.255:17500 [proto: 121/DropBox][1 pkts/145 bytes] + 1 UDP 192.168.0.106:17500 <-> 192.168.0.255:17500 [proto: 121/Dropbox][1 pkts/145 bytes] 2 UDP 8.8.8.8:53 <-> 192.168.0.103:26540 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-g-a.akamaihd.net] 3 UDP 8.8.8.8:53 <-> 192.168.0.103:27124 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes][Host: photos-b.ak.instagram.com] 4 TCP 31.13.93.52:443 <-> 192.168.0.103:33763 [proto: 91/SSL][11 pkts/5397 bytes] @@ -20,7 +20,7 @@ Instagram 363 255094 16 13 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][3 pkts/198 bytes] 14 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][75 pkts/57239 bytes][Host: photos-g.ak.instagram.com] 15 TCP 173.252.107.4:443 <-> 192.168.0.103:56382 [proto: 91.211/SSL.Instagram][17 pkts/2647 bytes][SSL client: telegraph-ash.instagram.com] - 16 UDP 192.168.0.106:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][4 pkts/580 bytes] + 16 UDP 192.168.0.106:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][4 pkts/580 bytes] 17 UDP 8.8.8.8:53 <-> 192.168.0.103:33603 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-a-a.akamaihd.net] 18 TCP 31.13.93.52:443 <-> 192.168.0.103:33936 [proto: 91/SSL][68 pkts/45688 bytes] 19 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91/SSL][12 pkts/6044 bytes] diff --git a/tests/result/Viber_session.pcap.out b/tests/result/Viber_session.pcap.out index 89bdd3a92..e73acc6f4 100644 --- a/tests/result/Viber_session.pcap.out +++ b/tests/result/Viber_session.pcap.out @@ -3,7 +3,7 @@ HTTP 14 862 8 SSL_No_Cert 34 4141 1 ICMP 2 196 1 SSL 109 11647 10 -DropBox 1 97 1 +Dropbox 1 97 1 GMail 21 1891 1 Google 50 4084 5 Viber 4163 392492 4 @@ -37,7 +37,7 @@ Viber 4163 392492 4 27 UDP 54.169.63.186:7987 <-> 192.168.200.222:48564 [proto: 144/Viber][2 pkts/138 bytes] 28 UDP 54.169.63.186:7985 <-> 192.168.200.222:48564 [proto: 144/Viber][4143 pkts/390781 bytes] 29 TCP 93.184.221.200:80 <-> 192.168.200.222:50854 [proto: 7/HTTP][1 pkts/60 bytes] - 30 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.DropBox][1 pkts/97 bytes] + 30 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][1 pkts/97 bytes] 31 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][16 pkts/1419 bytes][SSL client: settings.crashlytics.com] diff --git a/tests/result/coap_mqtt.pcap.out b/tests/result/coap_mqtt.pcap.out index 2e6f7abc9..67e3d3077 100644 --- a/tests/result/coap_mqtt.pcap.out +++ b/tests/result/coap_mqtt.pcap.out @@ -1,18 +1,19 @@ -COAP 819 82290 12 +COAP 19 1614 8 +Dropbox 800 80676 4 MQTT 7695 668291 4 1 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61043 [proto: 27/COAP][1 pkts/86 bytes] 2 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61045 [proto: 27/COAP][1 pkts/86 bytes] 3 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61047 [proto: 27/COAP][1 pkts/90 bytes] - 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20220 bytes] - 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20194 bytes] + 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20220 bytes] + 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20194 bytes] 6 TCP 192.168.56.1:53523 <-> 192.168.56.101:17501 [proto: 222/MQTT][1926 pkts/167126 bytes] 7 UDP [bbbb::1]:33499 <-> [bbbb::3]:5683 [proto: 27/COAP][4 pkts/404 bytes] 8 UDP [bbbb::1]:46819 <-> [bbbb::3]:5683 [proto: 27/COAP][6 pkts/467 bytes] 9 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61044 [proto: 27/COAP][1 pkts/86 bytes] 10 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61046 [proto: 27/COAP][1 pkts/86 bytes] - 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20120 bytes] - 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20142 bytes] + 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20120 bytes] + 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20142 bytes] 13 TCP 192.168.56.1:53522 <-> 192.168.56.101:17501 [proto: 222/MQTT][1922 pkts/166928 bytes] 14 TCP 192.168.56.1:53528 <-> 192.168.56.101:17501 [proto: 222/MQTT][1928 pkts/167509 bytes] 15 TCP 192.168.56.1:53524 <-> 192.168.56.101:17501 [proto: 222/MQTT][1919 pkts/166728 bytes] diff --git a/tests/result/drda_db2.pcap.out b/tests/result/drda_db2.pcap.out new file mode 100644 index 000000000..ee222fcd6 --- /dev/null +++ b/tests/result/drda_db2.pcap.out @@ -0,0 +1,3 @@ +DRDA 38 6691 1 + + 1 TCP 192.168.106.1:4847 <-> 192.168.106.128:50000 [proto: 227/DRDA][38 pkts/6691 bytes] diff --git a/tests/result/dropbox.pcap.out b/tests/result/dropbox.pcap.out index 343ba0ad5..c8b862513 100644 --- a/tests/result/dropbox.pcap.out +++ b/tests/result/dropbox.pcap.out @@ -1,17 +1,16 @@ MDNS 16 1648 1 SSDP 140 61108 22 -COAP 800 80676 4 -DropBox 304 165446 12 +Dropbox 1104 246122 16 - 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/744 bytes][Host: notify.dropbox.com] - 2 UDP 192.168.1.105:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][6 pkts/1422 bytes] - 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.DropBox][34 pkts/18026 bytes][SSL client: client.dropbox.com] - 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][8 pkts/1390 bytes][Host: log.getdropbox.com] - 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.DropBox][22 pkts/11392 bytes][SSL client: notify.dropbox.com] - 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/792 bytes][Host: d.dropbox.com] - 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/822 bytes][Host: client.dropbox.com] - 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20220 bytes] - 9 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20194 bytes] + 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/744 bytes][Host: notify.dropbox.com] + 2 UDP 192.168.1.105:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes] + 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][34 pkts/18026 bytes][SSL client: client.dropbox.com] + 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][8 pkts/1390 bytes][Host: log.getdropbox.com] + 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][22 pkts/11392 bytes][SSL client: notify.dropbox.com] + 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/792 bytes][Host: d.dropbox.com] + 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/822 bytes][Host: client.dropbox.com] + 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20220 bytes] + 9 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20194 bytes] 10 UDP 192.168.1.101:1280 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 11 UDP 192.168.1.101:1346 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 12 UDP 192.168.1.101:1650 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] @@ -20,14 +19,14 @@ DropBox 304 165446 12 15 UDP 192.168.1.101:2604 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 16 UDP 192.168.1.101:3412 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 17 UDP 192.168.1.101:4974 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] - 18 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/774 bytes][Host: client-cf.dropbox.com] - 19 UDP 192.168.1.105:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][6 pkts/1422 bytes] + 18 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/774 bytes][Host: client-cf.dropbox.com] + 19 UDP 192.168.1.105:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes] 20 UDP 239.255.255.250:1900 <-> 192.168.1.254:50828 [proto: 12/SSDP][44 pkts/19936 bytes] - 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20120 bytes] - 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20142 bytes] + 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20120 bytes] + 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20142 bytes] 23 UDP 192.168.1.106:57268 <-> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes] - 24 TCP 54.240.174.31:443 <-> 192.168.1.105:44949 [proto: 91.121/SSL.DropBox][138 pkts/97302 bytes][SSL client: client-cf.dropbox.com] - 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.DropBox][20 pkts/3928 bytes][Host: log.getdropbox.com] + 24 TCP 54.240.174.31:443 <-> 192.168.1.105:44949 [proto: 91.121/SSL.Dropbox][138 pkts/97302 bytes][SSL client: client-cf.dropbox.com] + 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][20 pkts/3928 bytes][Host: log.getdropbox.com] 26 UDP 192.168.1.101:2169 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 27 UDP 192.168.1.101:2141 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 28 UDP 192.168.1.101:2159 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] @@ -41,4 +40,4 @@ DropBox 304 165446 12 36 UDP 192.168.1.101:4169 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 37 UDP 192.168.1.106:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][16 pkts/1648 bytes] 38 UDP 192.168.1.101:4625 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] - 39 TCP 192.168.1.105:47747 <-> 108.160.172.225:443 [proto: 91.121/SSL.DropBox][54 pkts/27432 bytes][SSL client: d.dropbox.com] + 39 TCP 192.168.1.105:47747 <-> 108.160.172.225:443 [proto: 91.121/SSL.Dropbox][54 pkts/27432 bytes][SSL client: d.dropbox.com] diff --git a/tests/result/git.pcap.out b/tests/result/git.pcap.out new file mode 100644 index 000000000..665dad5a8 --- /dev/null +++ b/tests/result/git.pcap.out @@ -0,0 +1,3 @@ +Git 90 74005 1 + + 1 TCP 5.153.231.21:9418 <-> 192.168.0.77:47991 [proto: 226/Git][90 pkts/74005 bytes] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index ab9b3e6ef..8117cef8e 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -1,6 +1,7 @@ SSL 106 39646 11 Facebook 22 10202 2 -QUIC 65 16479 2 +Google 62 15977 1 +QUIC 3 502 1 1 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][2 pkts/172 bytes] 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37486 [proto: 91/SSL][19 pkts/7014 bytes][SSL client: www.ntop.org] @@ -15,5 +16,5 @@ QUIC 65 16479 2 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1012]:59690 [proto: 91/SSL][2 pkts/172 bytes] 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][2 pkts/172 bytes] 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/SSL][2 pkts/172 bytes] - 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:45931 [proto: 188/QUIC][62 pkts/15977 bytes][Host: www.google.it] + 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:45931 [proto: 188.126/QUIC.Google][62 pkts/15977 bytes][Host: www.google.it] 15 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][3 pkts/502 bytes] diff --git a/tests/result/quic.pcap.out b/tests/result/quic.pcap.out index 9c56d2d75..144137339 100644 --- a/tests/result/quic.pcap.out +++ b/tests/result/quic.pcap.out @@ -1,15 +1,18 @@ Unknown 6 7072 1 -QUIC 512 341494 9 +GMail 413 254874 1 +YouTube 83 73409 4 +Google 13 12847 3 +QUIC 3 364 1 - 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188/QUIC][3 pkts/2863 bytes][Host: i.ytimg.com] - 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188/QUIC][2 pkts/2784 bytes][Host: yt3.ggpht.com] - 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188/QUIC][413 pkts/254874 bytes][Host: mail.google.com] + 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][3 pkts/2863 bytes][Host: i.ytimg.com] + 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.126/QUIC.Google][2 pkts/2784 bytes][Host: yt3.ggpht.com] + 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188.122/QUIC.GMail][413 pkts/254874 bytes][Host: mail.google.com] 4 UDP 172.217.16.3:443 <-> 192.168.1.105:40461 [proto: 188/QUIC][3 pkts/364 bytes] - 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188/QUIC][5 pkts/4334 bytes][Host: www.google.com] - 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188/QUIC][7 pkts/6545 bytes][Host: www.youtube.com] - 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188/QUIC][69 pkts/58433 bytes][Host: www.youtube.com] - 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188/QUIC][6 pkts/5729 bytes][Host: fonts.gstatic.com] - 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188/QUIC][4 pkts/5568 bytes][Host: s.ytimg.com] + 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188.126/QUIC.Google][5 pkts/4334 bytes][Host: www.google.com] + 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188.124/QUIC.YouTube][7 pkts/6545 bytes][Host: www.youtube.com] + 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188.124/QUIC.YouTube][69 pkts/58433 bytes][Host: www.youtube.com] + 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188.126/QUIC.Google][6 pkts/5729 bytes][Host: fonts.gstatic.com] + 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188.124/QUIC.YouTube][4 pkts/5568 bytes][Host: s.ytimg.com] Undetected flows: diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index abcece480..06dd715fc 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -6,7 +6,7 @@ SSDP 101 38156 6 ICMP 8 656 1 IGMP 5 258 4 SSL 88 8268 6 -DropBox 38 17948 5 +Dropbox 38 17948 5 Skype 2307 491376 244 Apple 15 2045 2 AppleiCloud 88 20520 2 @@ -33,8 +33,8 @@ Spotify 5 430 1 19 UDP 192.168.1.34:13021 <-> 111.221.77.176:40020 [proto: 125/Skype][1 pkts/73 bytes] 20 TCP 192.168.1.34:50110 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/377 bytes] 21 TCP 91.190.216.23:12350 <-> 192.168.1.34:50126 [proto: 125/Skype][20 pkts/5160 bytes] - 22 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][6 pkts/3264 bytes] - 23 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][5 pkts/2720 bytes] + 22 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] + 23 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] 24 TCP 192.168.1.34:50113 <-> 71.238.7.203:18767 [proto: 125/Skype][14 pkts/1152 bytes] 25 TCP 192.168.1.34:50116 <-> 81.83.77.141:17639 [proto: 125/Skype][19 pkts/1510 bytes] 26 UDP 157.56.52.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] @@ -210,8 +210,8 @@ Spotify 5 430 1 196 UDP 192.168.1.92:57621 <-> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes] 197 UDP 192.168.1.1:53 <-> 192.168.1.34:49990 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] 198 TCP 192.168.1.34:50145 <-> 157.56.53.51:12350 [proto: 125/Skype][8 pkts/608 bytes] - 199 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][6 pkts/3264 bytes] - 200 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][5 pkts/2720 bytes] + 199 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] + 200 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] 201 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes] 202 UDP 192.168.1.1:53 <-> 192.168.1.34:51802 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] 203 UDP 192.168.1.1:53 <-> 192.168.1.34:52714 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] @@ -284,7 +284,7 @@ Spotify 5 430 1 270 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 125/Skype][20 pkts/1516 bytes] 271 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][18 pkts/1506 bytes] 272 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][15 pkts/1237 bytes] - 273 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.DropBox][16 pkts/5980 bytes] + 273 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.Dropbox][16 pkts/5980 bytes] 274 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 125/Skype][14 pkts/1208 bytes] 275 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 125/Skype][13 pkts/1109 bytes] 276 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][17 pkts/1304 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index c307ca471..aa087f692 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -6,7 +6,7 @@ SSDP 40 14100 3 ICMP 4 328 1 IGMP 4 226 4 SSL 79 7742 6 -DropBox 16 7342 5 +Dropbox 16 7342 5 Skype 1585 362654 220 Apple 84 20699 2 @@ -23,9 +23,9 @@ Apple 84 20699 2 11 UDP 192.168.1.34:13021 <-> 111.221.77.149:40016 [proto: 125/Skype][1 pkts/75 bytes] 12 UDP 192.168.1.34:13021 <-> 111.221.77.171:40030 [proto: 125/Skype][1 pkts/64 bytes] 13 UDP 192.168.1.34:13021 <-> 111.221.77.173:40012 [proto: 125/Skype][1 pkts/79 bytes] - 14 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 14 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 15 TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/423 bytes] - 16 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 16 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 17 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/479 bytes] 18 TCP 192.168.1.34:51289 <-> 71.238.7.203:18767 [proto: 125/Skype][17 pkts/1369 bytes] 19 UDP 157.56.52.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] @@ -123,7 +123,7 @@ Apple 84 20699 2 111 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 125/Skype][10 pkts/599 bytes] 112 UDP 192.168.1.34:13021 <-> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/70 bytes] 113 UDP 111.221.74.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 114 TCP 192.168.1.34:51222 <-> 108.160.163.108:443 [proto: 91.121/SSL.DropBox][8 pkts/2990 bytes] + 114 TCP 192.168.1.34:51222 <-> 108.160.163.108:443 [proto: 91.121/SSL.Dropbox][8 pkts/2990 bytes] 115 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 125/Skype][14 pkts/1253 bytes] 116 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][3 pkts/206 bytes] 117 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125/Skype][19 pkts/1496 bytes] @@ -188,8 +188,8 @@ Apple 84 20699 2 176 UDP 192.168.1.34:13021 <-> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes] 177 UDP 192.168.1.1:53 <-> 192.168.1.34:49864 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] 178 TCP 149.13.32.15:13392 <-> 192.168.1.34:51316 [proto: 125/Skype][14 pkts/1176 bytes] - 179 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] - 180 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 179 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] + 180 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 181 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes] 182 UDP 192.168.1.1:53 <-> 192.168.1.34:53372 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] 183 UDP 192.168.1.92:53826 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out new file mode 100644 index 000000000..499e771a4 --- /dev/null +++ b/tests/result/tor.pcap.out @@ -0,0 +1,17 @@ +NetBIOS 1 252 1 +DHCPV6 6 906 1 +Dropbox 10 1860 1 +Skype 1 60 1 +Tor 3676 3014362 7 + + 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][10 pkts/1860 bytes] + 2 UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes] + 3 TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes][SSL client: www.t3i3ru.com] + 4 TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes][SSL client: www.e6r5p57kbafwrxj3plz.com] + 5 TCP 91.143.93.242:443 <-> 192.168.1.252:51175 [proto: 163/Tor][38 pkts/12520 bytes][SSL client: www.gfu7hbxpfp.com] + 6 TCP 157.56.30.46:443 <-> 192.168.1.252:51104 [proto: 91.125/SSL.Skype][1 pkts/60 bytes] + 7 UDP 192.168.1.252:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes] + 8 TCP 38.229.70.53:443 <-> 192.168.1.252:51112 [proto: 163/Tor][1576 pkts/1388792 bytes][SSL client: www.q4cyamnc6mtokjurvdclt.com] + 9 TCP 38.229.70.53:443 <-> 192.168.1.252:51176 [proto: 163/Tor][1826 pkts/1513278 bytes][SSL client: www.jmts2id.com] + 10 TCP 62.210.137.230:443 <-> 192.168.1.252:51185 [proto: 163/Tor][29 pkts/9661 bytes][SSL client: www.6gyip7tqim7sieb.com] + 11 TCP 91.143.93.242:443 <-> 192.168.1.252:51110 [proto: 163/Tor][141 pkts/68538 bytes][SSL client: www.ct7ctrgb6cr7.com] diff --git a/tests/result/viber_mobile.pcap.out b/tests/result/viber_mobile.pcap.out index df601dd7d..e08572565 100644 --- a/tests/result/viber_mobile.pcap.out +++ b/tests/result/viber_mobile.pcap.out @@ -6,7 +6,7 @@ SSL_No_Cert 36 5874 1 ICMP 4 518 3 SSL 90 22731 8 Facebook 39 16382 2 -DropBox 2 163 1 +Dropbox 2 163 1 GMail 35 14773 2 Google 75 17027 7 WhatsApp 31 6224 2 @@ -82,7 +82,7 @@ Viber 10081 1413446 4 68 TCP 93.184.221.200:80 <-> 192.168.200.222:50854 [proto: 7/HTTP][5 pkts/300 bytes] 69 UDP 192.168.200.222:39413 <-> 81.192.42.247:15057 [proto: 37/BitTorrent][1 pkts/146 bytes] 70 UDP 92.245.59.202:12998 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 71 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.DropBox][2 pkts/163 bytes] + 71 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes] 72 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][26 pkts/10057 bytes][SSL client: settings.crashlytics.com] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index fd2edb823..41ec89cdf 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -4,7 +4,7 @@ DHCP 10 3420 1 STUN 97 11786 16 ICMP 10 700 1 SSL 8 589 2 -DropBox 4 2176 1 +Dropbox 4 2176 1 Apple 127 28102 20 WhatsApp 182 25154 2 AppleiTunes 85 28087 2 @@ -12,7 +12,7 @@ Spotify 3 258 1 WhatsAppVoice 706 91156 4 1 UDP [fe80::da30:62ff:fe56:1c]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] - 2 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/DropBox][4 pkts/2176 bytes] + 2 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/Dropbox][4 pkts/2176 bytes] 3 ICMP 192.168.2.4:0 <-> 91.253.176.65:0 [proto: 81/ICMP][10 pkts/700 bytes] 4 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][198 pkts/30418 bytes] 5 UDP 173.252.114.1:3478 <-> 192.168.2.4:52794 [proto: 78/STUN][5 pkts/676 bytes] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 0a904dd54..13c56555a 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -1,11 +1,11 @@ MDNS 2 202 2 DHCP 6 2052 1 -DropBox 2 1088 1 +Dropbox 2 1088 1 Apple 50 23466 2 WhatsApp 32 3243 2 Spotify 1 86 1 - 1 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 1 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 2 UDP [fe80::189c:c31b:1298:224]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes] 3 UDP 192.168.2.1:53 <-> 192.168.2.4:61697 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e12.whatsapp.net] 4 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][44 pkts/21371 bytes] |