diff options
| -rw-r--r-- | src/include/ndpi_protocols.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 43 | ||||
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 57 | ||||
| -rw-r--r-- | tests/cfgs/default/result/lru_ipv6_caches.pcapng.out | 37 | ||||
| -rw-r--r-- | tests/cfgs/default/result/stun.pcap.out | 2 |
5 files changed, 82 insertions, 59 deletions
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index b97726080..c9e247834 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -58,8 +58,6 @@ void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id); void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id); void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id); -int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int32_t saddr, u_int16_t sport, u_int32_t daddr, u_int16_t dport); void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id); void init_teredo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id); void init_ciscovpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 3a27ff740..d2c38fbc2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -197,6 +197,8 @@ _Static_assert(sizeof(ndpi_known_risks) / sizeof(ndpi_risk_info) == NDPI_MAX_RIS extern void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_risk_enum r); extern u_int32_t make_mining_key(struct ndpi_flow_struct *flow); +extern u_int32_t make_bittorrent_host_key(struct ndpi_flow_struct *flow, int client, int offset); +extern u_int32_t make_bittorrent_peers_key(struct ndpi_flow_struct *flow); extern int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); extern void ookla_add_to_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -6103,42 +6105,37 @@ u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port) { /* #define BITTORRENT_CACHE_DEBUG */ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - /* Parameters below need to be in network byte order */ - u_int32_t saddr, u_int16_t sport, u_int32_t daddr, u_int16_t dport) { + struct ndpi_flow_struct *flow) { #ifdef BITTORRENT_CACHE_DEBUG - printf("[%s:%u] ndpi_search_into_bittorrent_cache(%08X, %u, %08X, %u) [bt_check_performed=%d]\n", - __FILE__, __LINE__, saddr, sport, daddr, dport, - flow ? flow->bt_check_performed : -1); + printf("[%s:%u] ndpi_search_into_bittorrent_cache(%u, %u) [bt_check_performed=%d]\n", + __FILE__, __LINE__, ntohs(flow->c_port), ntohs(flow->s_port), + flow->bt_check_performed); #endif - if(flow && flow->bt_check_performed /* Do the check once */) + if(flow->bt_check_performed /* Do the check once */) return(0); if(ndpi_struct->bittorrent_cache) { u_int16_t cached_proto; u_int8_t found = 0; - u_int32_t key1, key2; + u_int32_t key, key1, key2; - if(flow) - flow->bt_check_performed = 1; + flow->bt_check_performed = 1; /* Check cached communications */ - key1 = ndpi_ip_port_hash_funct(saddr, sport), key2 = ndpi_ip_port_hash_funct(daddr, dport); + key = make_bittorrent_peers_key(flow); + key1 = make_bittorrent_host_key(flow, 1, 0), key2 = make_bittorrent_host_key(flow, 0, 0); found = - ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, saddr+daddr, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)) + ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)) || ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, key1, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)) || ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, key2, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)); #ifdef BITTORRENT_CACHE_DEBUG - if(ndpi_struct->packet.udp) - printf("[BitTorrent] *** [UDP] SEARCHING ports %u / %u [%u][%u][found: %u][packet_counter: %u]\n", - ntohs(sport), ntohs(dport), key1, key2, found, flow ? flow->packet_counter : 0); - else - printf("[BitTorrent] *** [TCP] SEARCHING ports %u / %u [%u][%u][found: %u][packet_counter: %u]\n", - ntohs(sport), ntohs(dport), key1, key2, found, flow ? flow->packet_counter : 0); + printf("[BitTorrent] *** [%s] SEARCHING ports %u / %u [%u][%u][%u][found: %u]\n", + flow->l4_proto == IPPROTO_UDP ? "UDP": "TCP", + ntohs(flow->c_port), ntohs(flow->s_port), key, key1, key2, found); #endif return(found); @@ -6268,9 +6265,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* Does it looks like BitTorrent? */ if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && - ndpi_search_into_bittorrent_cache(ndpi_str, flow, - flow->c_address.v4, flow->c_port, - flow->s_address.v4, flow->s_port)) { + ndpi_search_into_bittorrent_cache(ndpi_str, flow)) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); ret.app_protocol = flow->detected_protocol_stack[0]; } @@ -6736,6 +6731,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio } flow->num_processed_pkts++; + ndpi_str->current_ts = current_time_ms; /* Init default */ @@ -7911,10 +7907,7 @@ static ndpi_protocol ndpi_internal_guess_undetected_protocol(struct ndpi_detecti } if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && - !flow->is_ipv6 && /* TODO */ - ndpi_search_into_bittorrent_cache(ndpi_str, flow, - flow->c_address.v4, flow->c_port, - flow->s_address.v4, flow->s_port)) { + ndpi_search_into_bittorrent_cache(ndpi_str, flow)) { /* This looks like BitTorrent */ ret.app_protocol = NDPI_PROTOCOL_BITTORRENT; } diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 40268cb90..9e195691b 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -40,6 +40,9 @@ struct ndpi_utp_hdr { u_int16_t sequence_nr, ack_nr; }; +extern int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + /* Forward declaration */ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -100,12 +103,45 @@ static void ndpi_search_bittorrent_hash(struct ndpi_detection_module_struct *ndp /* *********************************************** */ +u_int32_t make_bittorrent_host_key(struct ndpi_flow_struct *flow, int client, int offset) { + u_int32_t key; + + /* network byte order */ + if(flow->is_ipv6) { + if(client) + key = ndpi_ip_port_hash_funct(ndpi_quick_hash(flow->c_address.v6, 16), htons(ntohs(flow->c_port) + offset)); + else + key = ndpi_ip_port_hash_funct(ndpi_quick_hash(flow->s_address.v6, 16), flow->s_port); + } else { + if(client) + key = ndpi_ip_port_hash_funct(flow->c_address.v4, htons(ntohs(flow->c_port) + offset)); + else + key = ndpi_ip_port_hash_funct(flow->s_address.v4, flow->s_port); + } + + return key; +} + +/* *********************************************** */ + +u_int32_t make_bittorrent_peers_key(struct ndpi_flow_struct *flow) { + u_int32_t key; + + /* network byte order */ + if(flow->is_ipv6) + key = ndpi_quick_hash(flow->c_address.v6, 16) + ndpi_quick_hash(flow->s_address.v6, 16); + else + key = flow->c_address.v4 + flow->s_address.v4; + + return key; +} + +/* *********************************************** */ + static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, int bt_offset, int check_hash, ndpi_confidence_t confidence) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - if(check_hash) ndpi_search_bittorrent_hash(ndpi_struct, flow, bt_offset); @@ -118,23 +154,24 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc flow->extra_packets_func = search_bittorrent_again; } - if(ndpi_struct->bittorrent_cache && packet->iph) { - u_int32_t key1, key2, i; + if(ndpi_struct->bittorrent_cache) { + u_int32_t key, key1, key2, i; + + key = make_bittorrent_peers_key(flow); + key1 = make_bittorrent_host_key(flow, 1, 0), key2 = make_bittorrent_host_key(flow, 0, 0); - key1 = ndpi_ip_port_hash_funct(flow->c_address.v4, flow->c_port), key2 = ndpi_ip_port_hash_funct(flow->s_address.v4, flow->s_port); - ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key2, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); /* Now add hosts as twins */ ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, - flow->c_address.v4 + flow->s_address.v4, + key, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); - + /* Also add +2 ports of the sender in order to catch additional sockets open by the same client */ for(i=0; i<2; i++) { - key1 = ndpi_ip_port_hash_funct(flow->c_address.v4, htons(ntohs(flow->c_port)+1+i)); + key1 = make_bittorrent_host_key(flow, 1, 1 + i); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); } @@ -430,7 +467,7 @@ static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { static void ndpi_skip_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, struct ndpi_packet_struct *packet) { - if(packet->iph && ndpi_search_into_bittorrent_cache(ndpi_struct, flow, flow->c_address.v4, flow->c_port, flow->s_address.v4, flow->s_port)) + if(ndpi_search_into_bittorrent_cache(ndpi_struct, flow)) ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI_CACHE); else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out index 67e9ff4ff..a3c006779 100644 --- a/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out +++ b/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out @@ -1,19 +1,18 @@ -Guessed flow protos: 5 +Guessed flow protos: 3 DPI Packets (TCP): 9 (3.00 pkts/flow) -DPI Packets (UDP): 42 (4.67 pkts/flow) -Confidence Unknown : 4 (flows) -Confidence DPI (cache) : 2 (flows) +DPI Packets (UDP): 38 (4.22 pkts/flow) +Confidence DPI (cache) : 6 (flows) Confidence DPI : 6 (flows) -Num dissector calls: 1248 (104.00 diss/flow) +Num dissector calls: 1089 (90.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/12/0 (insert/search/found) +LRU cache bittorrent: 25/12/4 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) LRU cache stun: 2/18/4 (insert/search/found) LRU cache tls_cert: 1/3/2 (insert/search/found) -LRU cache mining: 0/4/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/4/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 9/0 (search/found) Automa domain: 9/0 (search/found) Automa tls cert: 1/1 (search/found) @@ -23,8 +22,7 @@ Patricia risk mask: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia protocols: 0/0 (search/found) -Unknown 23 4214 4 -BitTorrent 2 332 1 +BitTorrent 25 4546 5 WhatsAppCall 24 3996 3 STUN 30 3450 1 Cloudflare 9 8862 3 @@ -37,14 +35,11 @@ JA3 Host Stats: 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] - 5 UDP [3069:c624:1d42:9469:98b1:67ff:fe43:325]:56131 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][11 pkts/1958 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][2.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/0 236/0 1183/0 350/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 178/0 214/0 41/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BHBeRjaHJ)][Plen Bins: 9,0,18,0,72,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP [2118:ec33:112b:7908:2c80:27ff:fef7:d71f]:48415 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][11 pkts/1742 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][2.97 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 279/0 1388/0 400/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 158/0 214/0 51/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (NGuJOnsW)][Plen Bins: 18,0,36,0,45,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][8.49 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP [3297:a1af:5121:cfc:360b:2e07:872f:1ea0]:43865 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][0.26 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BZ9/sp6)][Plen Bins: 50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - - -Undetected flows: - 1 UDP [2a2f:8509:1cb2:466d:ecbf:69d6:109c:608]:62229 -> [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 9][9 pkts/2397 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][9.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1249/0 8358/0 2694/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 266/0 610/0 243/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 44,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27]:60506 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 11][11 pkts/1319 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][6.03 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 670/0 2769/0 758/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 120/0 431/0 99/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 72,18,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [38b2:46b7:27a4:94c3:c134:948:e069:d71f]:1 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 2][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][20.08 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83]:1 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/166 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP [2a2f:8509:1cb2:466d:ecbf:69d6:109c:608]:62229 -> [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 8][cat: Download/7][9 pkts/2397 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][9.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1249/0 8358/0 2694/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 266/0 610/0 243/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 44,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP [3069:c624:1d42:9469:98b1:67ff:fe43:325]:56131 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][11 pkts/1958 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][2.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/0 236/0 1183/0 350/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 178/0 214/0 41/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BHBeRjaHJ)][Plen Bins: 9,0,18,0,72,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP [2118:ec33:112b:7908:2c80:27ff:fef7:d71f]:48415 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][11 pkts/1742 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][2.97 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 279/0 1388/0 400/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 158/0 214/0 51/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (NGuJOnsW)][Plen Bins: 18,0,36,0,45,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27]:60506 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 8][cat: Download/7][11 pkts/1319 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][6.03 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 670/0 2769/0 758/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 120/0 431/0 99/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 72,18,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][8.49 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [38b2:46b7:27a4:94c3:c134:948:e069:d71f]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][20.08 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP [3297:a1af:5121:cfc:360b:2e07:872f:1ea0]:43865 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][0.26 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BZ9/sp6)][Plen Bins: 50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: Download/7][1 pkts/166 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/stun.pcap.out b/tests/cfgs/default/result/stun.pcap.out index c23896786..3a10c6e51 100644 --- a/tests/cfgs/default/result/stun.pcap.out +++ b/tests/cfgs/default/result/stun.pcap.out @@ -5,7 +5,7 @@ DPI Packets (UDP): 13 (4.33 pkts/flow) Confidence DPI : 4 (flows) Num dissector calls: 583 (145.75 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/3/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) LRU cache stun: 4/34/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) |