aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/include/ndpi_main.h7
-rw-r--r--src/include/ndpi_protocol_ids.h6
-rw-r--r--src/include/ndpi_typedefs.h6
-rw-r--r--src/lib/ndpi_content_match.c.inc3
-rw-r--r--src/lib/ndpi_main.c78
-rw-r--r--src/lib/ndpi_utils.c1
-rw-r--r--src/lib/protocols/line.c32
-rw-r--r--src/lib/protocols/stun.c172
-rw-r--r--src/lib/protocols/tls.c63
-rw-r--r--tests/pcap/Instagram.pcapbin576304 -> 0 bytes
-rw-r--r--tests/result/Instagram.pcap.out48
-rw-r--r--tests/result/KakaoTalk_chat.pcap.out4
-rw-r--r--tests/result/skype-conference-call.pcap.out2
-rw-r--r--tests/result/skype.pcap.out4
-rw-r--r--tests/result/skype_no_unknown.pcap.out4
-rw-r--r--tests/result/whatsapp_login_call.pcap.out43
-rw-r--r--tests/result/whatsapp_voice_and_message.pcap.out18
17 files changed, 214 insertions, 277 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 5ec98f6d9..bcec38d17 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -112,10 +112,9 @@ extern "C" {
extern void ndpi_packet_src_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_addr_t * ip);
extern void ndpi_packet_dst_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_addr_t * ip);
- extern char *ndpi_get_ip_string(struct ndpi_detection_module_struct *ndpi_struct,
- const ndpi_ip_addr_t * ip);
- extern char *ndpi_get_packet_src_ip_string(struct ndpi_detection_module_struct *ndpi_struct,
- const struct ndpi_packet_struct *packet);
+ extern int ndpi_parse_ip_string(const char *ip_str, ndpi_ip_addr_t *parsed_ip);
+ extern char *ndpi_get_ip_string(const ndpi_ip_addr_t * ip, char *buf, u_int buf_len);
+
extern char* ndpi_get_proto_by_id(struct ndpi_detection_module_struct *ndpi_mod, u_int id);
u_int16_t ndpi_get_proto_by_name(struct ndpi_detection_module_struct *ndpi_mod, const char *name);
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index ceb3cf2c9..b1be9fd69 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -79,7 +79,7 @@ typedef enum {
NDPI_PROTOCOL_MINING = 42, /* Bitcoin, Ethereum, ZCash, Monero */
NDPI_PROTOCOL_NEST_LOG_SINK = 43, /* Nest Log Sink (Nest Protect) - Darryl Sokoloski <darryl@egloo.ca> */
NDPI_PROTOCOL_MODBUS = 44, /* Modbus */
- NDPI_PROTOCOL_WHATSAPP_VIDEO = 45,
+ NDPI_PROTOCOL_WHATSAPP_CALL = 45, /* WhatsApp video ad audio calls go here */
NDPI_PROTOCOL_DATASAVER = 46, /* Protocols used to save data on Internet communications */
NDPI_PROTOCOL_XBOX = 47,
NDPI_PROTOCOL_QQ = 48,
@@ -98,7 +98,7 @@ typedef enum {
NDPI_PROTOCOL_QQLIVE = 61,
NDPI_PROTOCOL_THUNDER = 62,
NDPI_PROTOCOL_SOULSEEK = 63,
- NDPI_FREE_64 = 64,
+ NDPI_PROTOCOL_FREE_64 = 64,
NDPI_PROTOCOL_IRC = 65,
NDPI_PROTOCOL_AYIYA = 66,
NDPI_PROTOCOL_UNENCRYPTED_JABBER = 67,
@@ -223,7 +223,7 @@ typedef enum {
NDPI_PROTOCOL_VEVO = 186,
NDPI_PROTOCOL_PANDORA = 187,
NDPI_PROTOCOL_QUIC = 188, /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */
- NDPI_PROTOCOL_WHATSAPP_VOICE = 189,
+ NDPI_PROTOCOL_FREE_189 = 189,
NDPI_PROTOCOL_EAQ = 190,
NDPI_PROTOCOL_OOKLA = 191,
NDPI_PROTOCOL_AMQP = 192,
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 4d322e5e1..35c7911b3 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1078,10 +1078,6 @@ struct ndpi_detection_module_struct {
u_int32_t zattoo_connection_timeout;
u_int32_t jabber_stun_timeout;
u_int32_t jabber_file_transfer_timeout;
-#ifdef NDPI_ENABLE_DEBUG_MESSAGES
-#define NDPI_IP_STRING_SIZE 40
- char ip_string[NDPI_IP_STRING_SIZE];
-#endif
u_int8_t ip_version_limit;
/* NDPI_PROTOCOL_BITTORRENT */
struct hash_ip4p_table *bt_ht;
@@ -1200,7 +1196,7 @@ struct ndpi_flow_struct {
} ssl;
struct {
- u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype;
+ u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests;
} stun;
/* We can have STUN over SSL/TLS thus they need to live together */
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 81eebed72..67d2f5434 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8217,6 +8217,9 @@ static ndpi_network host_protocol_list[] = {
{ 0xD040C900 /* 208.64.201.0/22 */, 22, NDPI_PROTOCOL_STEAM },
{ 0xD04EA400 /* 208.78.164.0/22 */, 22, NDPI_PROTOCOL_STEAM },
+ /* Line */
+ { 0x7DD1FC00 /* 125.209.252.0/24 */, 24, NDPI_PROTOCOL_LINE },
+
{ 0x0, 0, 0 }
};
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index eee4dbb93..8bd7367f6 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1006,9 +1006,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "Modbus", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */
ndpi_build_default_ports(ports_a, 502, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_VIDEO,
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_CALL,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "WhatsAppVideo", NDPI_PROTOCOL_CATEGORY_VOIP,
+ no_master, "WhatsAppCall", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DATASAVER,
@@ -1122,7 +1122,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_FREE_64,
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_64,
0 /* can_have_a_subprotocol */, no_master,
no_master, "Free64", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
@@ -1249,9 +1249,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "PcAnywhere", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_VOICE,
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_189,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "WhatsAppVoice", NDPI_PROTOCOL_CATEGORY_VOIP,
+ no_master, "Free189", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_FILES,
@@ -4055,7 +4055,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
goto check_stun_export;
else if((flow->guessed_protocol_id == NDPI_PROTOCOL_HANGOUT_DUO)
|| (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER)
- || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_VOICE))
+ || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL))
ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN);
else if((flow->l4.tcp.tls_seen_client_cert == 1)
&& (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
@@ -4131,13 +4131,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
check_stun_export:
if(flow->protos.stun_ssl.stun.num_processed_pkts || flow->protos.stun_ssl.stun.num_udp_pkts) {
// if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
- if(flow->protos.stun_ssl.stun.num_processed_pkts && flow->protos.stun_ssl.stun.is_skype) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
- } else {
- ndpi_set_detected_protocol(ndpi_struct, flow,
- flow->guessed_host_protocol_id,
- NDPI_PROTOCOL_STUN);
- }
+ ndpi_set_detected_protocol(ndpi_struct, flow,
+ flow->guessed_host_protocol_id,
+ NDPI_PROTOCOL_STUN);
}
}
@@ -5517,58 +5513,46 @@ void ndpi_packet_dst_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_add
/* ********************************************************************************* */
-#ifdef NDPI_ENABLE_DEBUG_MESSAGES
-/* get the string representation of ip
- * returns a pointer to a static string
- * only valid until the next call of this function */
-char *ndpi_get_ip_string(struct ndpi_detection_module_struct *ndpi_struct,
- const ndpi_ip_addr_t * ip)
-{
+char *ndpi_get_ip_string(const ndpi_ip_addr_t * ip, char *buf, u_int buf_len) {
const u_int8_t *a = (const u_int8_t *) &ip->ipv4;
#ifdef NDPI_DETECTION_SUPPORT_IPV6
- if(ip->ipv6.u6_addr.u6_addr32[0] != 0 ||
- ip->ipv6.u6_addr.u6_addr32[1] != 0 ||
+ if(ip->ipv6.u6_addr.u6_addr32[1] != 0 ||
ip->ipv6.u6_addr.u6_addr32[2] != 0 ||
ip->ipv6.u6_addr.u6_addr32[3] != 0) {
- const u_int16_t *b = ip->ipv6.u6_addr.u6_addr16;
- snprintf(ndpi_struct->ip_string, 32, "%x:%x:%x:%x:%x:%x:%x:%x",
- ntohs(b[0]), ntohs(b[1]), ntohs(b[2]), ntohs(b[3]),
- ntohs(b[4]), ntohs(b[5]), ntohs(b[6]), ntohs(b[7]));
+ if(inet_ntop(AF_INET6, &ip->ipv6.u6_addr, buf, buf_len) == NULL)
+ buf[0] = '\0';
- return ndpi_struct->ip_string;
+ return buf;
}
#endif
- snprintf(ndpi_struct->ip_string, 32, "%u.%u.%u.%u", a[0], a[1], a[2], a[3]);
+ snprintf(buf, buf_len, "%u.%u.%u.%u", a[0], a[1], a[2], a[3]);
- return ndpi_struct->ip_string;
+ return buf;
}
-/* ********************************************************************************* */
+/* ****************************************************** */
-/* get the string representation of the source ip address from packet */
-char *ndpi_get_packet_src_ip_string(struct ndpi_detection_module_struct *ndpi_struct,
- const struct ndpi_packet_struct *packet)
-{
- ndpi_ip_addr_t ip;
- ndpi_packet_src_ip_get(packet, &ip);
- return ndpi_get_ip_string(ndpi_struct, &ip);
-}
+/* Returns -1 on failutre, otherwise fills parsed_ip and returns the IP version */
+int ndpi_parse_ip_string(const char *ip_str, ndpi_ip_addr_t *parsed_ip) {
+ int rv = -1;
+ memset(parsed_ip, 0, sizeof(*parsed_ip));
-/* ********************************************************************************* */
+ if(strchr(ip_str, '.')) {
+ if(inet_pton(AF_INET, ip_str, &parsed_ip->ipv4) > 0)
+ rv = 4;
+#ifdef NDPI_DETECTION_SUPPORT_IPV6
+ } else {
+ if(inet_pton(AF_INET6, ip_str, &parsed_ip->ipv6) > 0)
+ rv = 6;
+#endif
+ }
-/* get the string representation of the destination ip address from packet */
-char *ndpi_get_packet_dst_ip_string(struct ndpi_detection_module_struct *ndpi_struct,
- const struct ndpi_packet_struct *packet)
-{
- ndpi_ip_addr_t ip;
- ndpi_packet_dst_ip_get(packet, &ip);
- return ndpi_get_ip_string(ndpi_struct, &ip);
+ return(rv);
}
-#endif /* NDPI_ENABLE_DEBUG_MESSAGES */
/* ****************************************************** */
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index c3e0bb542..b8ffe2e17 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -719,6 +719,7 @@ char* ndpi_ssl_version2str(u_int16_t version) {
case 0x0302: return("TLSv1.1");
case 0x0303: return("TLSv1.2");
case 0x0304: return("TLSv1.3");
+ case 0xfb1a: return("TLSv1.3 (Fizz)"); /* https://engineering.fb.com/security/fizz/ */
case 0xfeff: return("DTLSv1.0");
case 0xfefd: return("DTLSv1.2");
}
diff --git a/src/lib/protocols/line.c b/src/lib/protocols/line.c
index 0e624ab7d..b6e676c55 100644
--- a/src/lib/protocols/line.c
+++ b/src/lib/protocols/line.c
@@ -36,31 +36,35 @@ void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct, struct n
NDPI_LOG_DBG(ndpi_struct, "search line\n");
- if(packet->iph) {
+ if (packet->iph) {
/* 125.209.252.xxx */
- if(((ntohl(packet->iph->saddr) & 0xFFFFFF00 /* 255.255.255.0 */) == 0x7DD1FC00)
- || ((ntohl(packet->iph->daddr) & 0xFFFFFF00 /* 255.255.255.0 */) == 0x7DD1FC00)) {
- if((packet->payload_packet_len == 110)
- && (flow->packet.payload[0] == 0xB6) && (flow->packet.payload[1] == 0x18)
- && (flow->packet.payload[2] == 0x00) && (flow->packet.payload[3] == 0x6A)) {
- ndpi_line_report_protocol(ndpi_struct, flow);
- return;
+ if (((ntohl(packet->iph->saddr) & 0xFFFFFF00 /* 255.255.255.0 */) == 0x7DD1FC00) ||
+ ((ntohl(packet->iph->daddr) & 0xFFFFFF00 /* 255.255.255.0 */) == 0x7DD1FC00)) {
+ if ((packet->payload_packet_len == 110) && (flow->packet.payload[0] == 0xB6) &&
+ (flow->packet.payload[1] == 0x18) && (flow->packet.payload[2] == 0x00) &&
+ (flow->packet.payload[3] == 0x6A)) {
+ ndpi_line_report_protocol(ndpi_struct, flow);
+ return;
}
}
}
+ if ((packet->payload_packet_len == 46 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6130006) ||
+ (packet->payload_packet_len == 8 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6070004) ||
+ (packet->payload_packet_len == 16 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb609000c)) {
+ ndpi_line_report_protocol(ndpi_struct, flow);
+ return;
+ }
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_line_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
- ndpi_set_bitmask_protocol_detection("Line", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_LINE,
- ndpi_search_line,
- NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
+ ndpi_set_bitmask_protocol_detection("Line", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_LINE,
+ ndpi_search_line, NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK);
*id += 1;
}
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 76a75fb8d..77ddf6ca0 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -41,6 +41,23 @@ struct stun_packet_header {
/* ************************************************************ */
+static u_int8_t is_stun_based_proto(u_int16_t proto) {
+
+ switch(proto) {
+ case NDPI_PROTOCOL_WHATSAPP_CALL:
+ case NDPI_PROTOCOL_MESSENGER:
+ case NDPI_PROTOCOL_HANGOUT_DUO:
+ case NDPI_PROTOCOL_SKYPE_CALL:
+ case NDPI_PROTOCOL_SIGNAL:
+ case NDPI_PROTOCOL_STUN:
+ return(1);
+ }
+
+ return(0);
+}
+
+/* ************************************************************ */
+
u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) {
if(rev)
return(flow->packet.iph->daddr + flow->packet.udp->dest);
@@ -52,7 +69,7 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) {
void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
- u_int app_proto, u_int proto) {
+ u_int proto, u_int app_proto) {
if(ndpi_struct->stun_cache == NULL)
ndpi_struct->stun_cache = ndpi_lru_cache_init(1024);
@@ -71,24 +88,25 @@ void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_stru
#endif
app_proto = cached_proto, proto = NDPI_PROTOCOL_STUN;
} else {
- u_int32_t key1 = get_stun_lru_key(flow, 1);
+ u_int32_t key_rev = get_stun_lru_key(flow, 1);
- if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key1,
+ if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key_rev,
&cached_proto, 0 /* Don't remove it as it can be used for other connections */)) {
#ifdef DEBUG_LRU
- printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key1, cached_proto, proto, app_proto);
+ printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key_rev, cached_proto, proto, app_proto);
#endif
app_proto = cached_proto, proto = NDPI_PROTOCOL_STUN;
} else {
if(app_proto != NDPI_PROTOCOL_STUN) {
/* No sense to ass STUN, but only subprotocols */
-
+
#ifdef DEBUG_LRU
printf("[LRU] ADDING %u / %u.%u [%u -> %u]\n", key, proto, app_proto,
ntohs(flow->packet.udp->source), ntohs(flow->packet.udp->dest));
#endif
-
+
ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto);
+ ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key_rev, app_proto);
}
}
}
@@ -140,11 +158,7 @@ static int is_messenger_ip_address(u_int32_t host) {
static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload,
- const u_int16_t payload_length,
- u_int8_t *is_whatsapp,
- u_int8_t *is_messenger,
- u_int8_t *is_duo
- ) {
+ const u_int16_t payload_length) {
u_int16_t msg_type, msg_len;
struct stun_packet_header *h = (struct stun_packet_header*)payload;
u_int8_t can_this_be_whatsapp_voice = 1;
@@ -152,15 +166,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
/* STUN over TCP does not look good */
if(flow->packet.tcp) return(NDPI_IS_NOT_STUN);
- *is_whatsapp = 0, *is_messenger = 0, *is_duo = 0;
-
if(payload_length >= 512) {
return(NDPI_IS_NOT_STUN);
} else if(payload_length < sizeof(struct stun_packet_header)) {
/* This looks like an invalid packet */
if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) {
- *is_whatsapp = 1;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else
return(NDPI_IS_NOT_STUN);
@@ -179,6 +191,19 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#ifdef DEBUG_STUN
printf("[STUN] msg_type = %04X\n", msg_type);
#endif
+
+ if(is_stun_based_proto(flow->guessed_host_protocol_id)) {
+ /*
+ In this case we have the detected the typical STUN pattern
+ of modern protocols where the flow starts as STUN and becomes
+ something else that has nothing to do with STUN anymore
+ */
+ ndpi_int_stun_add_connection(ndpi_struct, flow,
+ flow->guessed_protocol_id,
+ flow->guessed_host_protocol_id);
+ return(NDPI_IS_STUN);
+ }
+
return(NDPI_IS_NOT_STUN);
}
@@ -214,21 +239,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
flow->guessed_host_protocol_id = proto, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
- switch(proto) {
- case NDPI_PROTOCOL_WHATSAPP:
- *is_whatsapp = 1;
- break;
- case NDPI_PROTOCOL_MESSENGER:
- *is_messenger = 1;
- break;
- case NDPI_PROTOCOL_HANGOUT_DUO:
- *is_duo = 1;
- break;
- case NDPI_PROTOCOL_SKYPE_CALL:
- flow->protos.stun_ssl.stun.is_skype = 1;
- break;
- }
-
return(NDPI_IS_STUN);
} else {
#ifdef DEBUG_LRU
@@ -247,10 +257,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE))
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
else
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_STUN;
+ flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
if(msg_len == 0) {
- flow->protos.stun_ssl.stun.num_udp_pkts++;
+ /* flow->protos.stun_ssl.stun.num_udp_pkts++; */
return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */
}
}
@@ -270,12 +280,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(((payload[0] == 0x80)
&& (payload_length < 512)
&& ((msg_len+20) <= payload_length)) /* WhatsApp Voice */) {
- *is_whatsapp = 1;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else if((payload[0] == 0x90)
&& (((msg_len+11) == payload_length) /* WhatsApp Video */
|| (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
- *is_whatsapp = 2;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Video */
}
@@ -285,7 +295,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
switch(flow->guessed_protocol_id) {
case NDPI_PROTOCOL_HANGOUT_DUO:
case NDPI_PROTOCOL_MESSENGER:
- case NDPI_PROTOCOL_WHATSAPP_VOICE:
+ case NDPI_PROTOCOL_WHATSAPP_CALL:
/* Don't overwrite the protocol with sub-STUN protocols */
break;
@@ -323,8 +333,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#endif
switch(attribute) {
- case 0x0008: /* Message Integrity */
- case 0x0020: /* XOR-MAPPED-ADDRESSES */
+ // case 0x0008: /* Message Integrity */
+ // case 0x0020: /* XOR-MAPPED-ADDRESSES */
case 0x4000:
case 0x4001:
case 0x4002:
@@ -349,7 +359,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#endif
if(strstr((char*)flow->host_server_name, "google.com") != NULL) {
- *is_duo = 1;
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
return(NDPI_IS_STUN);
} else if(strstr((char*)flow->host_server_name, "whispersystems.org") != NULL) {
@@ -363,12 +372,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
case 0xC057: /* Messeger */
if(msg_type == 0x0001) {
if((msg_len == 100) || (msg_len == 104)) {
- *is_messenger = 1;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
return(NDPI_IS_STUN);
} else if(msg_len == 76) {
#if 0
- *is_duo = 1;
-
if(1) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */
@@ -390,7 +397,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
printf("==> Skype found\n");
#endif
flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL;
- flow->protos.stun_ssl.stun.is_skype = 1;
return(NDPI_IS_STUN);
}
break;
@@ -411,7 +417,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#endif
flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL;
- flow->protos.stun_ssl.stun.is_skype = 1;
return(NDPI_IS_STUN);
break;
@@ -424,7 +429,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
&& ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))
) {
flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL;
- flow->protos.stun_ssl.stun.is_skype = 1;
#ifdef DEBUG_STUN
printf("==> Skype (3) found\n");
#endif
@@ -451,13 +455,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
goto udp_stun_found;
} else if(msg_type == 0x0800) {
- *is_whatsapp = 1;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp */
}
}
if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
- *is_whatsapp = 1;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else
return(NDPI_IS_NOT_STUN);
@@ -466,23 +470,25 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(can_this_be_whatsapp_voice) {
struct ndpi_packet_struct *packet = &flow->packet;
int rc;
-
+
flow->protos.stun_ssl.stun.num_processed_pkts++;
#ifdef DEBUG_STUN
- printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n");
+ printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n");
#endif
if((ntohs(packet->udp->source) == 3478) || (ntohs(packet->udp->dest) == 3478)) {
flow->guessed_host_protocol_id = (is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr))) ?
- NDPI_PROTOCOL_MESSENGER : NDPI_PROTOCOL_WHATSAPP_VOICE;
+ NDPI_PROTOCOL_MESSENGER : NDPI_PROTOCOL_WHATSAPP_CALL;
} else
flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
- ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE;
+ ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_CALL;
rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
if(rc == NDPI_IS_STUN)
- ndpi_int_stun_add_connection(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_IS_STUN);
+ ndpi_int_stun_add_connection(ndpi_struct, flow,
+ NDPI_IS_STUN,
+ flow->guessed_host_protocol_id);
return(rc);
} else {
@@ -498,7 +504,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
- u_int8_t is_whatsapp = 0, is_messenger = 0, is_duo = 0;
NDPI_LOG_DBG(ndpi_struct, "search stun\n");
@@ -517,64 +522,27 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
* improved by checking only the STUN packet of given length */
if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2,
- packet->payload_packet_len - 2,
- &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) {
- if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
-
- if(is_messenger) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN);
- return;
- } else if(is_duo) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN);
- return;
- } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN);
- return;
- } else if(flow->protos.stun_ssl.stun.is_skype || (flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL)) {
- NDPI_LOG_INFO(ndpi_struct, "found Skype\n");
-
- // if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
- } else {
- NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */
- ndpi_int_stun_add_connection(ndpi_struct, flow,
- is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) : NDPI_PROTOCOL_STUN,
- NDPI_PROTOCOL_UNKNOWN);
- }
-
- return;
+ packet->payload_packet_len - 2) == NDPI_IS_STUN) {
+ goto udp_stun_match;
}
}
}
/* UDP */
if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload,
- packet->payload_packet_len,
- &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) {
- if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
-
- if(is_messenger) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN);
- return;
- } else if(is_duo) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN);
- return;
- } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN);
- return;
- } else if(flow->protos.stun_ssl.stun.is_skype) {
- NDPI_LOG_INFO(ndpi_struct, "Found Skype\n");
-
- /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */
- // if((flow->protos.stun_ssl.stun.num_udp_pkts >= 6) || (flow->protos.stun_ssl.stun.num_binding_requests >= 3))
- ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
- } else {
- NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n");
- ndpi_int_stun_add_connection(ndpi_struct, flow,
- is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO)
- : NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN);
- }
+ packet->payload_packet_len) == NDPI_IS_STUN) {
+ udp_stun_match:
+ if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
+ flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
+ if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) {
+ flow->guessed_host_protocol_id = flow->guessed_protocol_id;
+ flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
+ }
+
+ ndpi_int_stun_add_connection(ndpi_struct, flow,
+ flow->guessed_protocol_id,
+ flow->guessed_host_protocol_id);
return;
}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 8a4d0c3ac..f63da2067 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -31,7 +31,7 @@
extern char *strptime(const char *s, const char *format, struct tm *tm);
-// #define DEBUG_TLS 1
+/* #define DEBUG_TLS 1 */
#define DEBUG_FINGERPRINT 1
@@ -176,7 +176,7 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) {
#define MAX_NUM_JA3 128
struct ja3_info {
- u_int16_t tls_version;
+ u_int16_t tls_handshake_version;
u_int16_t num_cipher, cipher[MAX_NUM_JA3];
u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3];
u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3];
@@ -263,7 +263,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
else
tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12]));
- ja3.tls_version = tls_version;
+ ja3.tls_handshake_version = tls_version;
if(handshake_protocol == 0x02) {
u_int16_t offset = base_offset, extension_len, j;
@@ -291,36 +291,49 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
#ifdef DEBUG_TLS
- printf("SSL [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]);
+ printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]);
#endif
offset += 2 + 1;
extension_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
#ifdef DEBUG_TLS
- printf("SSL [server][extension_len: %u]\n", extension_len);
+ printf("TLS [server][extension_len: %u]\n", extension_len);
#endif
offset += 2;
for(i=0; i<extension_len; ) {
- u_int16_t id, len;
+ u_int16_t extension_id, extension_len;
if(offset >= (packet->payload_packet_len+4)) break;
- id = ntohs(*((u_int16_t*)&packet->payload[offset]));
- len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
+ extension_id = ntohs(*((u_int16_t*)&packet->payload[offset]));
+ extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
if(ja3.num_tls_extension < MAX_NUM_JA3)
- ja3.tls_extension[ja3.num_tls_extension++] = id;
+ ja3.tls_extension[ja3.num_tls_extension++] = extension_id;
#ifdef DEBUG_TLS
- printf("SSL [server][extension_id: %u/0x%04X]\n", id, id);
+ printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n",
+ extension_id, extension_id, extension_len);
#endif
- i += 4 + len, offset += 4 + len;
+ if(extension_id == 43 /* supported versions */) {
+ if(extension_len >= 2) {
+ u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4]));
+
+#ifdef DEBUG_TLS
+ printf("TLS [server] [TLS version: 0x%04X]\n", tls_version);
+#endif
+
+ flow->protos.stun_ssl.ssl.ssl_version = tls_version;
+ }
+ }
+
+ i += 4 + extension_len, offset += 4 + extension_len;
}
- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_version);
+ ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
for(i=0; i<ja3.num_cipher; i++)
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
@@ -333,7 +346,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
#ifdef DEBUG_TLS
- printf("SSL [server] %s\n", ja3_str);
+ printf("TLS [server] %s\n", ja3_str);
#endif
#ifdef DEBUG_TLS
@@ -426,7 +439,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
session_id_len = packet->payload[base_offset];
- ja3.tls_version = tls_version;
+ ja3.tls_handshake_version = tls_version;
if((session_id_len+base_offset+2) <= total_len) {
u_int16_t cipher_len, cipher_offset;
@@ -533,7 +546,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
#endif
}
}
-
+
if(extension_id == 0 /* server name */) {
u_int16_t len;
@@ -611,6 +624,20 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len);
#endif
}
+ } else if(extension_id == 43 /* supported versions */) {
+ u_int8_t version_len = packet->payload[offset+4];
+
+ if(version_len == (extension_len-1)) {
+#ifdef DEBUG_TLS
+ u_int8_t j;
+
+ for(j=0; j<version_len; j += 2) {
+ u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+5+j]));
+
+ printf("Client SSL [TLS version: 0x%04X]\n", tls_version);
+ }
+#endif
+ }
}
extension_offset += extension_len;
@@ -621,7 +648,8 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
} /* while */
if(!invalid_ja3) {
- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_version);
+ compute_ja3c:
+ ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
for(i=0; i<ja3.num_cipher; i++) {
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
@@ -670,6 +698,9 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
return(2 /* Client Certificate */);
}
+ } else if(offset == total_len) {
+ /* SSL does not have extensions etc */
+ goto compute_ja3c;
}
}
}
diff --git a/tests/pcap/Instagram.pcap b/tests/pcap/Instagram.pcap
deleted file mode 100644
index af83dc942..000000000
--- a/tests/pcap/Instagram.pcap
+++ /dev/null
Binary files differ
diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out
deleted file mode 100644
index 87d7d23c7..000000000
--- a/tests/result/Instagram.pcap.out
+++ /dev/null
@@ -1,48 +0,0 @@
-Unknown 1 66 1
-HTTP 116 91784 6
-ICMP 5 510 1
-TLS 2 169 1
-Facebook 251 215986 5
-Dropbox 5 725 2
-Instagram 363 255094 16
-
-JA3 Host Stats:
- IP Address # JA3C
- 1 192.168.0.103 1
-
-
- 1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][103 pkts/150456 bytes <-> 47 pkts/3102 bytes][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.4/36.5 1246/1247 127.3/187.9][Pkt Len c2s/s2c min/avg/max/stddev: 1128/66 1460.7/66.0 1464/66 32.9/0.0][PLAIN TEXT (dnlN/L)]
- 2 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Host: photos-h.ak.instagram.com][bytes ratio: -0.962 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5.0/0.3 33/2 8.9/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/1484 86.0/1484.0 326/1484 69.3/0.0][PLAIN TEXT (GET /hphotos)]
- 3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Host: photos-g.ak.instagram.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2.1/0.5 62/2 10.1/0.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/396 73.0/1435.2 326/1484 42.2/209.5][PLAIN TEXT (GET /hphotos)]
- 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 196.5/196.8 7254/7292 1131.5/1152.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][PLAIN TEXT (GET /hphotos)]
- 5 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Host: photos-g.ak.instagram.com][bytes ratio: -0.927 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.8/13.4 321/322 68.4/57.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/186 76.5/1423.0 319/1484 50.6/248.6][PLAIN TEXT (GET /hphotos)]
- 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 304.3/301.6 7669/7709 1329.2/1337.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163.4/1180.4 1431/1464 317.9/494.8]
- 7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][cat: Web/5][25 pkts/37100 bytes <-> 24 pkts/1584 bytes][bytes ratio: 0.918 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.2/1.2 7/7 1.6/1.6][Pkt Len c2s/s2c min/avg/max/stddev: 1484/66 1484.0/66.0 1484/66 0.0/0.0][PLAIN TEXT (inOCIM)]
- 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][cat: Web/5][14 pkts/924 bytes <-> 20 pkts/28115 bytes][bytes ratio: -0.936 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 565.8/387.0 7321/7343 1950.1/1639.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66.0/1405.8 66/1484 0.0/309.0][PLAIN TEXT (dGQaNFV)]
- 9 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][cat: Web/5][16 pkts/22931 bytes <-> 9 pkts/594 bytes][bytes ratio: 0.950 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.7/1.5 5/4 1.2/1.2][Pkt Len c2s/s2c min/avg/max/stddev: 671/66 1433.2/66.0 1484/66 196.8/0.0][PLAIN TEXT (DD.DOo)]
- 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][bytes ratio: -0.707 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.6/20.2 56/88 18.0/29.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/885.7 375/1484 113.9/639.8][TLSv1][Client: igcdn-photos-g-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
- 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][bytes ratio: -0.515 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.8/24.3 79/103 24.9/36.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.5/689.1 516/1484 151.0/647.4][TLSv1][Client: igcdn-photos-h-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
- 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/4699 bytes <-> 6 pkts/1345 bytes][bytes ratio: 0.555 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 471.8/471.8 2180/2130 856.9/833.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 783.2/224.2 1464/1015 545.1/353.7]
- 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.7/9.0 70/40 26.4/15.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
- 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.3/9.6 71/47 26.6/18.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
- 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][bytes ratio: -0.526 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.0/486.2 254/2227 109.7/873.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/686.3 1015/1464 379.6/610.1]
- 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 5 pkts/4020 bytes][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53.8/43.0 215/172 93.1/74.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/804.0 1015/1464 379.6/595.0]
- 17 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Host: photos-f.ak.instagram.com][bytes ratio: -0.722 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 61.3/0.5 184/1 86.7/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 78/488 139.8/1152.0 325/1484 107.0/469.5][PLAIN TEXT (GET /hphotos)]
- 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 100.1/88.7 183/182 78.4/77.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 175.9/133.0 530/231 154.8/70.1][TLSv1][Client: telegraph-ash.instagram.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][JA3S: acb741bcdffb787c5a52654c78645bdf][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
- 19 UDP 192.168.0.106:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/580 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 413767116)]
- 20 ICMP 192.168.0.103:0 -> 192.168.0.103:0 [proto: 81/ICMP][cat: Network/14][5 pkts/510 bytes -> 0 pkts/0 bytes]
- 21 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/89 bytes <-> 1 pkts/305 bytes][Host: igcdn-photos-h-a.akamaihd.net][PLAIN TEXT (photos)]
- 22 TCP 192.168.0.103:37350 -> 82.85.26.153:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][1 pkts/324 bytes -> 0 pkts/0 bytes][Host: photos-a.ak.instagram.com][PLAIN TEXT (GET /hphotos)]
- 23 TCP 192.168.0.103:58053 -> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][1 pkts/321 bytes -> 0 pkts/0 bytes][Host: photos-g.ak.instagram.com][PLAIN TEXT (GET /hphotos)]
- 24 UDP 192.168.0.103:26540 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-g-a.akamaihd.net][PLAIN TEXT (photos)]
- 25 UDP 192.168.0.103:33603 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-a-a.akamaihd.net][PLAIN TEXT (photos)]
- 26 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes]
- 27 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes]
- 28 TCP 192.168.0.103:58690 -> 46.33.70.159:443 [proto: 91/TLS][cat: Web/5][2 pkts/169 bytes -> 0 pkts/0 bytes]
- 29 UDP 192.168.0.106:17500 -> 192.168.0.255:17500 [proto: 121/Dropbox][cat: Cloud/13][1 pkts/145 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 413767116)]
- 30 TCP 46.33.70.150:80 <-> 192.168.0.103:40855 [proto: 7/HTTP][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/66 bytes]
- 31 UDP 192.168.0.103:27124 -> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/85 bytes -> 0 pkts/0 bytes][Host: photos-b.ak.instagram.com][PLAIN TEXT (photos)]
-
-
-Undetected flows:
- 1 UDP 192.168.0.1:520 -> 192.168.0.255:520 [proto: 0/Unknown][1 pkts/66 bytes -> 0 pkts/0 bytes]
diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out
index cb301a6bc..871f981c8 100644
--- a/tests/result/KakaoTalk_chat.pcap.out
+++ b/tests/result/KakaoTalk_chat.pcap.out
@@ -10,7 +10,7 @@ KakaoTalk 55 9990 15
JA3 Host Stats:
IP Address # JA3C
- 1 10.24.82.188 2
+ 1 10.24.82.188 3
1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 60.8/58.1 488/297 116.5/77.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
@@ -22,7 +22,7 @@ JA3 Host Stats:
7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 944.1/862.6 10357/10320 2839.5/2730.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2922.8/5819.6 12590/13598 3981.5/4890.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131.2/188.3 657/274 136.4/75.5]
9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3064.0/3022.1 12765/12806 4269.0/4324.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193.0/74.7 303/98 122.5/20.9]
- 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (Gyeonggi do)]
+ 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Cipher: TLS_RSA_WITH_RC4_128_MD5][PLAIN TEXT (Gyeonggi do)]
11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/0 5491.0/4361.0 21620/21500 9312.5/8569.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/104.5 243/339 73.2/104.9][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)]
12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 43/38 5451.5/5418.0 21457/21368 9241.2/9209.0][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/114.2 243/339 73.2/112.4][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)]
13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 136/98 4276.2/4284.2 13075/13111 4413.9/4432.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 56.0/56.0 56/56 0.0/0.0]
diff --git a/tests/result/skype-conference-call.pcap.out b/tests/result/skype-conference-call.pcap.out
index b22aa69c1..b34d958e2 100644
--- a/tests/result/skype-conference-call.pcap.out
+++ b/tests/result/skype-conference-call.pcap.out
@@ -1,3 +1,3 @@
SkypeCall 200 39687 1
- 1 UDP 192.168.2.20:49282 <-> 104.46.40.49:60642 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][133 pkts/24845 bytes <-> 67 pkts/14842 bytes][bytes ratio: 0.252 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/22.4 159/203 24.8/47.7][Pkt Len c2s/s2c min/avg/max/stddev: 74/77 186.8/221.5 957/957 244.4/233.0][PLAIN TEXT (vRKSoR)]
+ 1 UDP 192.168.2.20:49282 <-> 104.46.40.49:60642 [proto: 78.38/STUN.SkypeCall][cat: VoIP/10][133 pkts/24845 bytes <-> 67 pkts/14842 bytes][bytes ratio: 0.252 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/22.4 159/203 24.8/47.7][Pkt Len c2s/s2c min/avg/max/stddev: 74/77 186.8/221.5 957/957 244.4/233.0][PLAIN TEXT (vRKSoR)]
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
index 84ede744c..fbd6d8290 100644
--- a/tests/result/skype.pcap.out
+++ b/tests/result/skype.pcap.out
@@ -17,10 +17,10 @@ ApplePush 12 1877 1
JA3 Host Stats:
IP Address # JA3C
- 1 192.168.1.34 1
+ 1 192.168.1.34 2
- 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 893.0/683.9 30166/30261 4224.2/3588.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+ 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 893.0/683.9 30166/30261 4224.2/3588.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 418.8/332.6 8300/8646 1054.3/998.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 260.7/433.2 1506/1506 342.9/569.4][PLAIN TEXT ( 0sKWL)]
3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2052.4/0.0 19950/0 6020.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373.2/0.0 405/0 28.8/0.0][PLAIN TEXT (NOTIFY )]
4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1102.2/1098.6 41869/42024 6370.8/6397.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224.1/247.7 680/1494 261.3/323.6][TLSv1.2][Client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index 9c208e01d..3ceba1f69 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -15,10 +15,10 @@ ApplePush 8 1118 1
JA3 Host Stats:
IP Address # JA3C
- 1 192.168.1.34 1
+ 1 192.168.1.34 2
- 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 310.0/282.2 45360/45460 3520.1/3369.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+ 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/TLS.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 310.0/282.2 45360/45460 3520.1/3369.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][bytes ratio: -0.323 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 227.1/220.7 3095/3095 375.1/372.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303.8/611.6 1506/1506 405.8/625.9][PLAIN TEXT (nZREBS)]
3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1847.3/1843.3 55625/55761 9059.8/9088.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4]
4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1714.9/0.0 19856/0 5553.3/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 372.3/0.0 405/0 28.7/0.0][PLAIN TEXT (NOTIFY )]
diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out
index 8ea3807d2..6d8bd54a8 100644
--- a/tests/result/whatsapp_login_call.pcap.out
+++ b/tests/result/whatsapp_login_call.pcap.out
@@ -1,14 +1,13 @@
HTTP 11 726 3
MDNS 8 952 4
DHCP 10 3420 1
+WhatsAppCall 803 102942 20
ICMP 10 700 1
-RTP 44 7818 2
TLS 8 589 2
Dropbox 4 2176 1
Apple 190 50263 21
WhatsApp 182 25154 2
Spotify 3 258 1
-WhatsAppVoice 759 95124 18
ApplePush 22 5926 1
JA3 Host Stats:
@@ -16,35 +15,35 @@ JA3 Host Stats:
1 192.168.2.4 1
- 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 49.3/34.3 209/352 59.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145.3/93.1 525/488 100.0/64.5][PLAIN TEXT (zTdFPOk)]
- 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 51.7/132.2 307/539 65.0/84.2][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124.3/226.1 484/552 75.0/128.5]
+ 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 49.3/34.3 209/352 59.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145.3/93.1 525/488 100.0/64.5][PLAIN TEXT (zTdFPOk)]
+ 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 51.7/132.2 307/539 65.0/84.2][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124.3/226.1 484/552 75.0/128.5]
3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1356.0/1696.8 28162/28146 4142.9/4597.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147.1/127.0 1506/754 238.5/99.0][PLAIN TEXT (iPhone)]
4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1224.0/1483.8 31033/31176 5745.1/6337.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1641.8/2031.8 30435/30711 6607.5/7407.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][Server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2014-03-08 01:53:04 - 2029-03-08 01:53:04][Cipher: TLS_RSA_WITH_RC4_128_MD5]
6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.5/50.1 271/228 96.9/86.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12518.4/12519.7 101116/101113 30245.8/30246.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)]
- 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 87/RTP][cat: Media/1][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2652.5/1821.0 18656/18299 5702.0/5214.6][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5]
+ 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2652.5/1821.0 18656/18299 5702.0/5214.6][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5]
9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46]
- 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 87/RTP][cat: Media/1][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1790.6/713.6 6986/6468 2740.8/1919.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8]
+ 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1790.6/713.6 6986/6468 2740.8/1919.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8]
11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)]
12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 116.9/111.0 275/175 106.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5]
- 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.7/0.0 667/0 12.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0]
- 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0]
+ 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.7/0.0 667/0 12.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0]
+ 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0]
15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0]
- 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 18 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 22 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 23 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 24 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 25 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][PLAIN TEXT (ay.OF@)]
- 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 18 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 22 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 23 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 24 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 25 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][PLAIN TEXT (ay.OF@)]
+ 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes]
31 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes]
32 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: query.ess.apple.com][PLAIN TEXT (akadns)]
diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out
index 601d041f4..3e220eab3 100644
--- a/tests/result/whatsapp_voice_and_message.pcap.out
+++ b/tests/result/whatsapp_voice_and_message.pcap.out
@@ -1,16 +1,16 @@
+WhatsAppCall 44 5916 8
WhatsApp 217 22139 5
-WhatsAppVoice 44 5916 8
1 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][cat: Chat/9][30 pkts/2539 bytes <-> 32 pkts/3070 bytes][bytes ratio: -0.095 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1648.8/1542.2 28667/28718 5223.8/5079.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.6/95.9 299/559 55.4/94.3][PLAIN TEXT (Android)]
2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][cat: Chat/9][24 pkts/3029 bytes <-> 22 pkts/1961 bytes][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 586.2/638.9 10696/10748 2161.3/2265.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.2/89.1 590/469 124.1/91.7][PLAIN TEXT (Android)]
3 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][cat: Chat/9][15 pkts/2690 bytes <-> 15 pkts/2019 bytes][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 614.6/602.7 8044/4043 2061.7/1396.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 179.3/134.6 590/1022 202.7/240.7][PLAIN TEXT (Android)]
4 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][cat: Chat/9][26 pkts/2311 bytes <-> 26 pkts/2300 bytes][bytes ratio: 0.002 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 402.6/402.2 6149/6160 1222.3/1226.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 88.9/88.5 299/308 58.4/60.8][PLAIN TEXT (Android)]
5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][cat: Chat/9][14 pkts/1123 bytes <-> 13 pkts/1097 bytes][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 102.8/102.9 318/331 97.7/90.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 80.2/84.4 231/286 43.9/62.4][PLAIN TEXT (Android)]
- 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][5 pkts/840 bytes <-> 4 pkts/344 bytes][bytes ratio: 0.419 (Upload)][IAT c2s/s2c min/avg/max/stddev: 208/189 15170.2/209.7 60006/241 25885.9/22.5][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168.0/86.0 168/86 0.0/0.0]
- 7 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 8 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 9 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 10 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 11 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
- 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][5 pkts/840 bytes <-> 4 pkts/344 bytes][bytes ratio: 0.419 (Upload)][IAT c2s/s2c min/avg/max/stddev: 208/189 15170.2/209.7 60006/241 25885.9/22.5][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168.0/86.0 168/86 0.0/0.0]
+ 7 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 8 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 9 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 10 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 11 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]
+ 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes]