diff options
63 files changed, 1621 insertions, 677 deletions
diff --git a/Makefile.am b/Makefile.am index 37f084916..4090817b3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src/lib example tests -pkgconfigdir = $(prefix)/libdata/pkgconfig +pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = libndpi.pc EXTRA_DIST = autogen.sh diff --git a/example/MacOS/ndpiExample/ndpiExample.xcodeproj/project.pbxproj b/example/MacOS/ndpiExample/ndpiExample.xcodeproj/project.pbxproj index 2c319489d..c9a73d00c 100644 --- a/example/MacOS/ndpiExample/ndpiExample.xcodeproj/project.pbxproj +++ b/example/MacOS/ndpiExample/ndpiExample.xcodeproj/project.pbxproj @@ -8,17 +8,26 @@ /* Begin PBXBuildFile section */ E32F1ECB20844620005739B7 /* whatsapp.c in Sources */ = {isa = PBXBuildFile; fileRef = E32F1ECA20844620005739B7 /* whatsapp.c */; }; + E35D5510228BA70600A80DED /* ajp.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D5506228BA70400A80DED /* ajp.c */; }; + E35D5511228BA70600A80DED /* snmp_proto.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D5507228BA70400A80DED /* snmp_proto.c */; }; + E35D5512228BA70600A80DED /* modbus.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D5508228BA70400A80DED /* modbus.c */; }; + E35D5513228BA70600A80DED /* ookla.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D5509228BA70400A80DED /* ookla.c */; }; + E35D5514228BA70600A80DED /* upnp.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D550A228BA70400A80DED /* upnp.c */; }; + E35D5515228BA70600A80DED /* memcached.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D550B228BA70500A80DED /* memcached.c */; }; + E35D5516228BA70600A80DED /* mdns_proto.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D550C228BA70500A80DED /* mdns_proto.c */; }; + E35D5517228BA70600A80DED /* fbzero.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D550D228BA70500A80DED /* fbzero.c */; }; + E35D5518228BA70600A80DED /* nest_log_sink.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D550E228BA70500A80DED /* nest_log_sink.c */; }; + E35D5519228BA70600A80DED /* mining.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D550F228BA70600A80DED /* mining.c */; }; + E35D551D228BA80000A80DED /* sha1-fast.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D551B228BA80000A80DED /* sha1-fast.c */; }; + E35D551E228BA80000A80DED /* ht_hash.c in Sources */ = {isa = PBXBuildFile; fileRef = E35D551C228BA80000A80DED /* ht_hash.c */; }; + E35D551F228BA88700A80DED /* ndpi_patricia.c in Sources */ = {isa = PBXBuildFile; fileRef = E395430820255354000BBA0D /* ndpi_patricia.c */; }; E3953F5420254989000BBA0D /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = E3953F5320254989000BBA0D /* AppDelegate.m */; }; E3953F5720254989000BBA0D /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = E3953F5620254989000BBA0D /* ViewController.m */; }; E3953F5920254989000BBA0D /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = E3953F5820254989000BBA0D /* Assets.xcassets */; }; E3953F5C2025498A000BBA0D /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = E3953F5A2025498A000BBA0D /* Main.storyboard */; }; E3953F5F2025498A000BBA0D /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = E3953F5E2025498A000BBA0D /* main.m */; }; - E395430B20255354000BBA0D /* Makefile.am in Resources */ = {isa = PBXBuildFile; fileRef = E39540A520255353000BBA0D /* Makefile.am */; }; E395430C20255354000BBA0D /* ndpi_define.h.in in Resources */ = {isa = PBXBuildFile; fileRef = E39540A720255353000BBA0D /* ndpi_define.h.in */; }; E395431720255354000BBA0D /* Makefile in Sources */ = {isa = PBXBuildFile; fileRef = E39540BC20255353000BBA0D /* Makefile */; }; - E395431820255354000BBA0D /* Makefile.am in Resources */ = {isa = PBXBuildFile; fileRef = E39540BD20255353000BBA0D /* Makefile.am */; }; - E395431920255354000BBA0D /* Makefile.in in Resources */ = {isa = PBXBuildFile; fileRef = E39540BE20255353000BBA0D /* Makefile.in */; }; - E395431A20255354000BBA0D /* Makefile.simple in Resources */ = {isa = PBXBuildFile; fileRef = E39540BF20255353000BBA0D /* Makefile.simple */; }; E395431B20255354000BBA0D /* ndpi_content_match.c.inc in Sources */ = {isa = PBXBuildFile; fileRef = E39540C020255353000BBA0D /* ndpi_content_match.c.inc */; }; E395431C20255354000BBA0D /* ndpi_main.c in Sources */ = {isa = PBXBuildFile; fileRef = E39540C120255353000BBA0D /* ndpi_main.c */; }; E39543A320255354000BBA0D /* afp.c in Sources */ = {isa = PBXBuildFile; fileRef = E395414B20255353000BBA0D /* afp.c */; }; @@ -60,7 +69,6 @@ E39543C720255354000BBA0D /* edonkey.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417120255353000BBA0D /* edonkey.c */; }; E39543C820255354000BBA0D /* fasttrack.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417220255353000BBA0D /* fasttrack.c */; }; E39543C920255354000BBA0D /* fiesta.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417320255353000BBA0D /* fiesta.c */; }; - E39543CA20255354000BBA0D /* filetopia.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417420255353000BBA0D /* filetopia.c */; }; E39543CB20255354000BBA0D /* fix.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417520255353000BBA0D /* fix.c */; }; E39543CC20255354000BBA0D /* florensia.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417620255353000BBA0D /* florensia.c */; }; E39543CD20255354000BBA0D /* ftp_control.c in Sources */ = {isa = PBXBuildFile; fileRef = E395417720255353000BBA0D /* ftp_control.c */; }; @@ -90,10 +98,8 @@ E39544ED20255354000BBA0D /* mail_pop.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429720255354000BBA0D /* mail_pop.c */; }; E39544EE20255354000BBA0D /* mail_smtp.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429820255354000BBA0D /* mail_smtp.c */; }; E39544EF20255354000BBA0D /* maplestory.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429920255354000BBA0D /* maplestory.c */; }; - E39544F020255354000BBA0D /* mdns.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429A20255354000BBA0D /* mdns.c */; }; E39544F120255354000BBA0D /* megaco.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429B20255354000BBA0D /* megaco.c */; }; E39544F220255354000BBA0D /* mgcp.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429C20255354000BBA0D /* mgcp.c */; }; - E39544F320255354000BBA0D /* mms.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429D20255354000BBA0D /* mms.c */; }; E39544F420255354000BBA0D /* mpegts.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429E20255354000BBA0D /* mpegts.c */; }; E39544F520255354000BBA0D /* mqtt.c in Sources */ = {isa = PBXBuildFile; fileRef = E395429F20255354000BBA0D /* mqtt.c */; }; E39544F620255354000BBA0D /* msn.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542A020255354000BBA0D /* msn.c */; }; @@ -134,9 +140,7 @@ E395451920255354000BBA0D /* skype.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C320255354000BBA0D /* skype.c */; }; E395451A20255354000BBA0D /* smb.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C420255354000BBA0D /* smb.c */; }; E395451B20255354000BBA0D /* smpp.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C520255354000BBA0D /* smpp.c */; }; - E395451C20255354000BBA0D /* snmp.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C620255354000BBA0D /* snmp.c */; }; E395451D20255354000BBA0D /* socks45.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C720255354000BBA0D /* socks45.c */; }; - E395451E20255354000BBA0D /* socrates.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C820255354000BBA0D /* socrates.c */; }; E395451F20255354000BBA0D /* someip.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542C920255354000BBA0D /* someip.c */; }; E395452020255354000BBA0D /* sopcast.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542CA20255354000BBA0D /* sopcast.c */; }; E395452120255354000BBA0D /* soulseek.c in Sources */ = {isa = PBXBuildFile; fileRef = E39542CB20255354000BBA0D /* soulseek.c */; }; @@ -189,6 +193,19 @@ /* Begin PBXFileReference section */ E32F1ECA20844620005739B7 /* whatsapp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = whatsapp.c; sourceTree = "<group>"; }; + E35D5506228BA70400A80DED /* ajp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ajp.c; sourceTree = "<group>"; }; + E35D5507228BA70400A80DED /* snmp_proto.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = snmp_proto.c; sourceTree = "<group>"; }; + E35D5508228BA70400A80DED /* modbus.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = modbus.c; sourceTree = "<group>"; }; + E35D5509228BA70400A80DED /* ookla.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ookla.c; sourceTree = "<group>"; }; + E35D550A228BA70400A80DED /* upnp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = upnp.c; sourceTree = "<group>"; }; + E35D550B228BA70500A80DED /* memcached.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = memcached.c; sourceTree = "<group>"; }; + E35D550C228BA70500A80DED /* mdns_proto.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mdns_proto.c; sourceTree = "<group>"; }; + E35D550D228BA70500A80DED /* fbzero.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = fbzero.c; sourceTree = "<group>"; }; + E35D550E228BA70500A80DED /* nest_log_sink.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = nest_log_sink.c; sourceTree = "<group>"; }; + E35D550F228BA70600A80DED /* mining.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mining.c; sourceTree = "<group>"; }; + E35D551A228BA7DF00A80DED /* ht_hash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ht_hash.h; sourceTree = "<group>"; }; + E35D551B228BA80000A80DED /* sha1-fast.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sha1-fast.c"; sourceTree = "<group>"; }; + E35D551C228BA80000A80DED /* ht_hash.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ht_hash.c; sourceTree = "<group>"; }; E3953F4F20254989000BBA0D /* ndpiExample.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = ndpiExample.app; sourceTree = BUILT_PRODUCTS_DIR; }; E3953F5220254989000BBA0D /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = "<group>"; }; E3953F5320254989000BBA0D /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; }; @@ -212,7 +229,6 @@ E39540BC20255353000BBA0D /* Makefile */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.make; path = Makefile; sourceTree = "<group>"; }; E39540BD20255353000BBA0D /* Makefile.am */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Makefile.am; sourceTree = "<group>"; }; E39540BE20255353000BBA0D /* Makefile.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Makefile.in; sourceTree = "<group>"; }; - E39540BF20255353000BBA0D /* Makefile.simple */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Makefile.simple; sourceTree = "<group>"; }; E39540C020255353000BBA0D /* ndpi_content_match.c.inc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.pascal; path = ndpi_content_match.c.inc; sourceTree = "<group>"; }; E39540C120255353000BBA0D /* ndpi_main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ndpi_main.c; sourceTree = "<group>"; }; E395414B20255353000BBA0D /* afp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = afp.c; sourceTree = "<group>"; }; @@ -255,7 +271,6 @@ E395417120255353000BBA0D /* edonkey.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = edonkey.c; sourceTree = "<group>"; }; E395417220255353000BBA0D /* fasttrack.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = fasttrack.c; sourceTree = "<group>"; }; E395417320255353000BBA0D /* fiesta.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = fiesta.c; sourceTree = "<group>"; }; - E395417420255353000BBA0D /* filetopia.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = filetopia.c; sourceTree = "<group>"; }; E395417520255353000BBA0D /* fix.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = fix.c; sourceTree = "<group>"; }; E395417620255353000BBA0D /* florensia.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = florensia.c; sourceTree = "<group>"; }; E395417720255353000BBA0D /* ftp_control.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ftp_control.c; sourceTree = "<group>"; }; @@ -285,10 +300,8 @@ E395429720255354000BBA0D /* mail_pop.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mail_pop.c; sourceTree = "<group>"; }; E395429820255354000BBA0D /* mail_smtp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mail_smtp.c; sourceTree = "<group>"; }; E395429920255354000BBA0D /* maplestory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = maplestory.c; sourceTree = "<group>"; }; - E395429A20255354000BBA0D /* mdns.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mdns.c; sourceTree = "<group>"; }; E395429B20255354000BBA0D /* megaco.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = megaco.c; sourceTree = "<group>"; }; E395429C20255354000BBA0D /* mgcp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mgcp.c; sourceTree = "<group>"; }; - E395429D20255354000BBA0D /* mms.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mms.c; sourceTree = "<group>"; }; E395429E20255354000BBA0D /* mpegts.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mpegts.c; sourceTree = "<group>"; }; E395429F20255354000BBA0D /* mqtt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mqtt.c; sourceTree = "<group>"; }; E39542A020255354000BBA0D /* msn.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = msn.c; sourceTree = "<group>"; }; @@ -329,9 +342,7 @@ E39542C320255354000BBA0D /* skype.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = skype.c; sourceTree = "<group>"; }; E39542C420255354000BBA0D /* smb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = smb.c; sourceTree = "<group>"; }; E39542C520255354000BBA0D /* smpp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = smpp.c; sourceTree = "<group>"; }; - E39542C620255354000BBA0D /* snmp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = snmp.c; sourceTree = "<group>"; }; E39542C720255354000BBA0D /* socks45.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = socks45.c; sourceTree = "<group>"; }; - E39542C820255354000BBA0D /* socrates.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = socrates.c; sourceTree = "<group>"; }; E39542C920255354000BBA0D /* someip.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = someip.c; sourceTree = "<group>"; }; E39542CA20255354000BBA0D /* sopcast.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = sopcast.c; sourceTree = "<group>"; }; E39542CB20255354000BBA0D /* soulseek.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = soulseek.c; sourceTree = "<group>"; }; @@ -482,7 +493,6 @@ E39540BC20255353000BBA0D /* Makefile */, E39540BD20255353000BBA0D /* Makefile.am */, E39540BE20255353000BBA0D /* Makefile.in */, - E39540BF20255353000BBA0D /* Makefile.simple */, E39540C020255353000BBA0D /* ndpi_content_match.c.inc */, E39540C120255353000BBA0D /* ndpi_main.c */, E39540C220255353000BBA0D /* protocols */, @@ -530,7 +540,6 @@ E395417120255353000BBA0D /* edonkey.c */, E395417220255353000BBA0D /* fasttrack.c */, E395417320255353000BBA0D /* fiesta.c */, - E395417420255353000BBA0D /* filetopia.c */, E395417520255353000BBA0D /* fix.c */, E395417620255353000BBA0D /* florensia.c */, E395417720255353000BBA0D /* ftp_control.c */, @@ -560,10 +569,8 @@ E395429720255354000BBA0D /* mail_pop.c */, E395429820255354000BBA0D /* mail_smtp.c */, E395429920255354000BBA0D /* maplestory.c */, - E395429A20255354000BBA0D /* mdns.c */, E395429B20255354000BBA0D /* megaco.c */, E395429C20255354000BBA0D /* mgcp.c */, - E395429D20255354000BBA0D /* mms.c */, E395429E20255354000BBA0D /* mpegts.c */, E395429F20255354000BBA0D /* mqtt.c */, E39542A020255354000BBA0D /* msn.c */, @@ -604,9 +611,7 @@ E39542C320255354000BBA0D /* skype.c */, E39542C420255354000BBA0D /* smb.c */, E39542C520255354000BBA0D /* smpp.c */, - E39542C620255354000BBA0D /* snmp.c */, E39542C720255354000BBA0D /* socks45.c */, - E39542C820255354000BBA0D /* socrates.c */, E39542C920255354000BBA0D /* someip.c */, E39542CA20255354000BBA0D /* sopcast.c */, E39542CB20255354000BBA0D /* soulseek.c */, @@ -647,6 +652,16 @@ E39542EE20255354000BBA0D /* zattoo.c */, E39542EF20255354000BBA0D /* zeromq.c */, E32F1ECA20844620005739B7 /* whatsapp.c */, + E35D5506228BA70400A80DED /* ajp.c */, + E35D550D228BA70500A80DED /* fbzero.c */, + E35D550C228BA70500A80DED /* mdns_proto.c */, + E35D550B228BA70500A80DED /* memcached.c */, + E35D550F228BA70600A80DED /* mining.c */, + E35D5508228BA70400A80DED /* modbus.c */, + E35D550E228BA70500A80DED /* nest_log_sink.c */, + E35D5509228BA70400A80DED /* ookla.c */, + E35D5507228BA70400A80DED /* snmp_proto.c */, + E35D550A228BA70400A80DED /* upnp.c */, ); path = protocols; sourceTree = "<group>"; @@ -675,6 +690,7 @@ E39542F120255354000BBA0D /* include */ = { isa = PBXGroup; children = ( + E35D551A228BA7DF00A80DED /* ht_hash.h */, E39542F220255354000BBA0D /* actypes.h */, E39542F320255354000BBA0D /* ahocorasick.h */, E39542F420255354000BBA0D /* libcache.h */, @@ -688,6 +704,8 @@ E39542F820255354000BBA0D /* src */ = { isa = PBXGroup; children = ( + E35D551C228BA80000A80DED /* ht_hash.c */, + E35D551B228BA80000A80DED /* sha1-fast.c */, E395430020255354000BBA0D /* ahocorasick.c */, E395430120255354000BBA0D /* libcache.c */, E395430820255354000BBA0D /* ndpi_patricia.c */, @@ -769,14 +787,10 @@ buildActionMask = 2147483647; files = ( E395430C20255354000BBA0D /* ndpi_define.h.in in Resources */, - E395431A20255354000BBA0D /* Makefile.simple in Resources */, - E395430B20255354000BBA0D /* Makefile.am in Resources */, - E395431920255354000BBA0D /* Makefile.in in Resources */, E3953F5920254989000BBA0D /* Assets.xcassets in Resources */, E39547942026B2AA000BBA0D /* capture.pcap in Resources */, E395455D202558E6000BBA0D /* protos.txt in Resources */, E3953F5C2025498A000BBA0D /* Main.storyboard in Resources */, - E395431820255354000BBA0D /* Makefile.am in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -787,20 +801,20 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - E39544F320255354000BBA0D /* mms.c in Sources */, E39544F220255354000BBA0D /* mgcp.c in Sources */, E39543B420255354000BBA0D /* checkmk.c in Sources */, E39543D720255354000BBA0D /* http.c in Sources */, E39543A420255354000BBA0D /* aimini.c in Sources */, E39543DD20255354000BBA0D /* jabber.c in Sources */, + E35D5510228BA70600A80DED /* ajp.c in Sources */, E395452820255354000BBA0D /* steam.c in Sources */, E39543C720255354000BBA0D /* edonkey.c in Sources */, E39543B520255354000BBA0D /* ciscovpn.c in Sources */, + E35D5511228BA70600A80DED /* snmp_proto.c in Sources */, E39543B120255354000BBA0D /* bittorrent.c in Sources */, E395452E20255354000BBA0D /* telegram.c in Sources */, E39543DA20255354000BBA0D /* icecast.c in Sources */, E395450620255354000BBA0D /* postgres.c in Sources */, - E395451E20255354000BBA0D /* socrates.c in Sources */, E395450B20255354000BBA0D /* quic.c in Sources */, E39543A820255354000BBA0D /* armagetron.c in Sources */, E39543D120255354000BBA0D /* gtp.c in Sources */, @@ -811,7 +825,6 @@ E395452620255354000BBA0D /* starcraft.c in Sources */, E39543B620255354000BBA0D /* citrix.c in Sources */, E395451320255354000BBA0D /* rtsp.c in Sources */, - E39543CA20255354000BBA0D /* filetopia.c in Sources */, E39544F120255354000BBA0D /* megaco.c in Sources */, E39543A920255354000BBA0D /* flash.c in Sources */, E39544F820255354000BBA0D /* mysql.c in Sources */, @@ -832,10 +845,12 @@ E395451420255354000BBA0D /* rx.c in Sources */, E39543DC20255354000BBA0D /* irc.c in Sources */, E395450320255354000BBA0D /* oscar.c in Sources */, + E35D551D228BA80000A80DED /* sha1-fast.c in Sources */, E39543BC20255354000BBA0D /* dcerpc.c in Sources */, E395454020255355000BBA0D /* world_of_warcraft.c in Sources */, E39543A620255354000BBA0D /* apple_push.c in Sources */, E395451920255354000BBA0D /* skype.c in Sources */, + E35D551E228BA80000A80DED /* ht_hash.c in Sources */, E39543AC20255354000BBA0D /* popo.c in Sources */, E39543BF20255354000BBA0D /* diameter.c in Sources */, E39544FF20255354000BBA0D /* ntp.c in Sources */, @@ -847,7 +862,6 @@ E39544EC20255354000BBA0D /* mail_imap.c in Sources */, E395450C20255354000BBA0D /* radius.c in Sources */, E395455F202558E6000BBA0D /* ndpiReader.c in Sources */, - E395451C20255354000BBA0D /* snmp.c in Sources */, E395452520255354000BBA0D /* ssl.c in Sources */, E39543D420255354000BBA0D /* halflife2_and_mods.c in Sources */, E39544F920255354000BBA0D /* netbios.c in Sources */, @@ -870,11 +884,13 @@ E395450D20255354000BBA0D /* rdp.c in Sources */, E39544EA20255354000BBA0D /* lisp.c in Sources */, E39544EF20255354000BBA0D /* maplestory.c in Sources */, + E35D5519228BA70600A80DED /* mining.c in Sources */, E39544EB20255354000BBA0D /* lotus_notes.c in Sources */, E395451F20255354000BBA0D /* someip.c in Sources */, E39543DF20255354000BBA0D /* kerberos.c in Sources */, E39543A720255354000BBA0D /* applejuice.c in Sources */, E395452020255354000BBA0D /* sopcast.c in Sources */, + E35D5517228BA70600A80DED /* fbzero.c in Sources */, E39543AD20255354000BBA0D /* secondlife.c in Sources */, E395450720255354000BBA0D /* pplive.c in Sources */, E395453120255354000BBA0D /* tftp.c in Sources */, @@ -883,6 +899,7 @@ E39543D620255354000BBA0D /* hep.c in Sources */, E39543E020255354000BBA0D /* kontiki.c in Sources */, E39544FA20255354000BBA0D /* netflow.c in Sources */, + E35D5513228BA70600A80DED /* ookla.c in Sources */, E395454220255355000BBA0D /* xdmcp.c in Sources */, E39544F720255354000BBA0D /* mssql_tds.c in Sources */, E395451A20255354000BBA0D /* smb.c in Sources */, @@ -890,11 +907,12 @@ E395450520255354000BBA0D /* pcanywhere.c in Sources */, E39547902026A51A000BBA0D /* ahocorasick.c in Sources */, E395452320255354000BBA0D /* ssdp.c in Sources */, + E35D5518228BA70600A80DED /* nest_log_sink.c in Sources */, E395431B20255354000BBA0D /* ndpi_content_match.c.inc in Sources */, E395450120255354000BBA0D /* openvpn.c in Sources */, E395453920255354000BBA0D /* vhua.c in Sources */, - E39544F020255354000BBA0D /* mdns.c in Sources */, E39543C920255354000BBA0D /* fiesta.c in Sources */, + E35D5514228BA70600A80DED /* upnp.c in Sources */, E395454120255355000BBA0D /* xbox.c in Sources */, E395453D20255355000BBA0D /* warcraft3.c in Sources */, E39543D220255354000BBA0D /* guildwars.c in Sources */, @@ -902,12 +920,14 @@ E395450E20255354000BBA0D /* redis_net.c in Sources */, E395455420255355000BBA0D /* node.c in Sources */, E39543CE20255354000BBA0D /* ftp_data.c in Sources */, + E35D551F228BA88700A80DED /* ndpi_patricia.c in Sources */, E395451D20255354000BBA0D /* socks45.c in Sources */, E395451820255354000BBA0D /* skinny.c in Sources */, E395453620255354000BBA0D /* tvuplayer.c in Sources */, E39543CC20255354000BBA0D /* florensia.c in Sources */, E3953F5720254989000BBA0D /* ViewController.m in Sources */, E39544F520255354000BBA0D /* mqtt.c in Sources */, + E35D5516228BA70600A80DED /* mdns_proto.c in Sources */, E39543C220255354000BBA0D /* dns.c in Sources */, E39543B920255354000BBA0D /* corba.c in Sources */, E39543B320255354000BBA0D /* btlib.c in Sources */, @@ -927,6 +947,7 @@ E395453E20255355000BBA0D /* whoisdas.c in Sources */, E39543BB20255354000BBA0D /* csgo.c in Sources */, E395450A20255354000BBA0D /* qq.c in Sources */, + E35D5512228BA70600A80DED /* modbus.c in Sources */, E395431C20255354000BBA0D /* ndpi_main.c in Sources */, E39543BD20255354000BBA0D /* dhcp.c in Sources */, E395454520255355000BBA0D /* zeromq.c in Sources */, @@ -935,6 +956,7 @@ E395451120255354000BBA0D /* rtmp.c in Sources */, E39544FE20255354000BBA0D /* non_tcp_udp.c in Sources */, E39543C020255354000BBA0D /* directconnect.c in Sources */, + E35D5515228BA70600A80DED /* memcached.c in Sources */, E39543D020255354000BBA0D /* gnutella.c in Sources */, E39543D320255354000BBA0D /* h323.c in Sources */, E395453720255354000BBA0D /* ubntac2.c in Sources */, @@ -1087,6 +1109,7 @@ "$(inherited)", "APP_HAS_OWN_MAIN=1", "NDPI_LOG_DEBUG2=NDPI_LOG_DEBUG2_XCODE_PROJ", + NDPI_LIB_COMPILATION, ); INFOPLIST_FILE = ndpiExample/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; @@ -1105,6 +1128,7 @@ GCC_PREPROCESSOR_DEFINITIONS = ( "APP_HAS_OWN_MAIN=1", "NDPI_LOG_DEBUG2=NDPI_LOG_DEBUG2_XCODE_PROJ", + NDPI_LIB_COMPILATION, ); INFOPLIST_FILE = ndpiExample/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 0b0fa889b..1a5dbbfd0 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1,7 +1,7 @@ /* * ndpiReader.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -749,6 +749,40 @@ char* intoaV4(u_int32_t addr, char* buf, u_int16_t bufLen) { /* ********************************** */ +static char* print_cipher(ndpi_cipher_weakness c) { + switch(c) { + case ndpi_cipher_insecure: + return(" (INSECURE)"); + break; + + case ndpi_cipher_weak: + return(" (WEAK)"); + break; + + default: + return(""); + } +} + +/* ********************************** */ + +static char* ssl_version2str(u_int16_t version) { + static char v[8]; + + switch(version) { + case 0x300: return("SSLv3"); + case 0x301: return("TLSv1"); + case 0x302: return("TLSv1.1"); + case 0x303: return("TLSv1.2"); + case 0x304: return("TLSv1.3"); + } + + snprintf(v, sizeof(v), "%04X", version); + return(v); +} + +/* ********************************** */ + /** * @brief Print the flow */ @@ -800,10 +834,16 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa flow->dst2src_packets, (long long unsigned int) flow->dst2src_bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); + if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); - if(flow->ssh_ssl.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_ssl.client_info); + if(flow->ssh_ssl.ssl_version != 0) fprintf(out, "[%s]", ssl_version2str(flow->ssh_ssl.ssl_version)); + if(flow->ssh_ssl.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_ssl.ja3_client, + print_cipher(flow->ssh_ssl.client_unsafe_cipher)); if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); + + if(flow->ssh_ssl.ja3_server[0] != '\0') fprintf(out, "[JA3S: %s%s]", flow->ssh_ssl.ja3_server, + print_cipher(flow->ssh_ssl.server_unsafe_cipher)); if(flow->ssh_ssl.server_organization[0] != '\0') fprintf(out, "[organization: %s]", flow->ssh_ssl.server_organization); if(flow->bittorent_hash[0] != '\0') fprintf(out, "[BT Hash: %s]", flow->bittorent_hash); @@ -850,6 +890,15 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if((flow->ssh_ssl.client_info[0] != '\0') || (flow->ssh_ssl.server_info[0] != '\0')) { json_object *sjObj = json_object_new_object(); + if(flow->ssh_ssl.ja3_server[0] != '\0') + json_object_object_add(jObj,"ja3s",json_object_new_string(flow->ssh_ssl.ja3_server)); + + if(flow->ssh_ssl.ja3_client[0] != '\0') + json_object_object_add(jObj,"ja3c",json_object_new_string(flow->ssh_ssl.ja3_client)); + + if(flow->ja3_server[0] != '\0') + json_object_object_add(jObj,"host.server.ja3",json_object_new_string(flow->ja3_server)); + if(flow->ssh_ssl.client_info[0] != '\0') json_object_object_add(sjObj, "client", json_object_new_string(flow->ssh_ssl.client_info)); @@ -1521,6 +1570,8 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { ndpi_enable_loaded_categories(ndpi_thread_info[thread_id].workflow->ndpi_struct); } else printf("ERROR: Unable to read file %s\n", _customCategoryFilePath); + + fclose(fd); } } diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 9e1e72132..4b8ffb894 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -562,16 +562,22 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl /* SSL */ else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)) { + flow->ssh_ssl.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); snprintf(flow->ssh_ssl.server_organization, sizeof(flow->ssh_ssl.server_organization), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); + flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); + snprintf(flow->ssh_ssl.ja3_client, sizeof(flow->ssh_ssl.ja3_client), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client); + snprintf(flow->ssh_ssl.ja3_server, sizeof(flow->ssh_ssl.ja3_server), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); + flow->ssh_ssl.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; } } - if(flow->detection_completed && !flow->check_extra_packets) { + if(flow->detection_completed && (!flow->check_extra_packets)) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { if(workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); @@ -641,60 +647,37 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, return(nproto); } - /* Protocol already detected */ - if(flow->detection_completed) { - if(flow->check_extra_packets && ndpi_flow != NULL && ndpi_flow->check_extra_packets) { - if(ndpi_flow->num_extra_packets_checked == 0 && ndpi_flow->max_extra_packets_to_check == 0) { - /* Protocols can set this, but we set it here in case they didn't */ - ndpi_flow->max_extra_packets_to_check = MAX_EXTRA_PACKETS_TO_CHECK; - } - if(ndpi_flow->num_extra_packets_checked < ndpi_flow->max_extra_packets_to_check) { - ndpi_process_extra_packet(workflow->ndpi_struct, ndpi_flow, - iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time, src, dst); - if(ndpi_flow->check_extra_packets == 0) { - flow->check_extra_packets = 0; - process_ndpi_collected_info(workflow, flow); - } - } - } else if(ndpi_flow != NULL) { - /* If this wasn't NULL we should do the half free */ - /* TODO: When half_free is deprecated, get rid of this */ - ndpi_free_flow_info_half(flow); - } - - return(flow->detected_protocol); - } + if(!flow->detection_completed) { + flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, + iph ? (uint8_t *)iph : (uint8_t *)iph6, + ipsize, time, src, dst); + + if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) + || ((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8)) + || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { + /* New protocol detected or give up */ + flow->detection_completed = 1; + + /* Check if we should keep checking extra packets */ + if(ndpi_flow && ndpi_flow->check_extra_packets) + flow->check_extra_packets = 1; - flow->detected_protocol = - ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, - iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time, src, dst); - - if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) - || ((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8)) - || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { - /* New protocol detected or give up */ - flow->detection_completed = 1; - /* Check if we should keep checking extra packets */ - if(ndpi_flow->check_extra_packets) - flow->check_extra_packets = 1; - - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) - flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, - enable_protocol_guess); + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, + enable_protocol_guess); - process_ndpi_collected_info(workflow, flow); + process_ndpi_collected_info(workflow, flow); + } } - + return(flow->detected_protocol); } /* ****************************************************** */ -struct ndpi_proto ndpi_workflow_process_packet (struct ndpi_workflow * workflow, - const struct pcap_pkthdr *header, - const u_char *packet) { +struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, + const struct pcap_pkthdr *header, + const u_char *packet) { /* * Declare pointers to packet headers */ diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 0a5a3b8c2..538753834 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -97,7 +97,10 @@ typedef struct ndpi_flow_info { char bittorent_hash[41]; struct { - char client_info[64], server_info[64], server_organization[64]; + u_int16_t ssl_version; + char client_info[64], server_info[64], server_organization[64], + ja3_client[33], ja3_server[33]; + ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; } ssh_ssl; void *src_id, *dst_id; diff --git a/packages/rpm/ndpi.spec.in b/packages/rpm/ndpi.spec.in index 7b9b44365..d2e473627 100644 --- a/packages/rpm/ndpi.spec.in +++ b/packages/rpm/ndpi.spec.in @@ -75,7 +75,7 @@ rm -fr $RPM_BUILD_ROOT /usr/local/lib/libndpi.so.@PACKAGE_VERSION@ /usr/local/bin/ndpiReader /etc/ld.so.conf.d/ndpi.conf -/usr/local/libdata/pkgconfig/libndpi.pc +%{libdir}/pkgconfig/libndpi.pc %preun diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 84633c3ae..afe22c329 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -612,7 +612,7 @@ extern "C" { * */ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, - char* path); + const char* path); /** * Get the total number of the supported protocols @@ -807,6 +807,7 @@ extern "C" { u_int16_t src_port, u_int16_t dst_port, u_int8_t icmp_type, u_int8_t icmp_code, u_char *hash_buf, u_int8_t hash_buf_len); + u_int8_t ndpi_is_safe_ssl_cipher(u_int16_t cipher); #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index dc5fea74a..4d2696073 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -338,6 +338,10 @@ #define NDPI_MINOR @NDPI_MINOR@ #define NDPI_PATCH @NDPI_PATCH@ +/* IMPORTANT: order according to its severity */ +#define NDPI_CIPHER_SAFE 0 +#define NDPI_CIPHER_WEAK 1 +#define NDPI_CIPHER_INSECURE 2 #ifdef __APPLE__ diff --git a/src/include/ndpi_includes.h b/src/include/ndpi_includes.h index f77f8cfc4..f8bde5194 100644 --- a/src/include/ndpi_includes.h +++ b/src/include/ndpi_includes.h @@ -27,6 +27,7 @@ #include <stdint.h> #include <stdio.h> #include <stdarg.h> +#include <stdlib.h> #include <string.h> #include <ctype.h> #include <time.h> diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index e37576289..5ec98f6d9 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -124,7 +124,7 @@ extern "C" { u_int8_t proto, u_int16_t sport, u_int16_t dport, u_int8_t *user_defined_proto); - extern u_int8_t ndpi_is_proto(ndpi_protocol p, u_int16_t proto); + extern u_int8_t ndpi_is_proto(ndpi_protocol proto, u_int16_t p); extern u_int16_t ndpi_get_lower_proto(ndpi_protocol p); extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index fc80a675b..21e2199e5 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -360,6 +360,7 @@ typedef enum { NDPI_HTTP_METHOD_OPTIONS, NDPI_HTTP_METHOD_GET, NDPI_HTTP_METHOD_HEAD, + NDPI_HTTP_METHOD_PATCH, NDPI_HTTP_METHOD_POST, NDPI_HTTP_METHOD_PUT, NDPI_HTTP_METHOD_DELETE, @@ -368,7 +369,7 @@ typedef enum { } ndpi_http_method; struct ndpi_lru_cache { - u_int32_t num_entries, *entries; + u_int32_t num_entries, *entries; }; struct ndpi_id_struct { @@ -479,14 +480,14 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_WHATSAPP */ u_int8_t wa_matched_so_far; - + /* NDPI_PROTOCOL_TDS */ u_int8_t tds_login_version; /* NDPI_PROTOCOL_IRC */ u_int8_t irc_stage; u_int8_t irc_port; - + /* NDPI_PROTOCOL_H323 */ u_int8_t h323_valid_packets; @@ -554,7 +555,7 @@ struct ndpi_flow_tcp_struct { u_int32_t seen_syn:1; u_int32_t seen_syn_ack:1; u_int32_t seen_ack:1; - + /* NDPI_PROTOCOL_ICECAST */ u_int32_t icecast_stage:1; @@ -800,13 +801,14 @@ typedef enum { NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY, NDPI_PROTOCOL_CATEGORY_FILE_SHARING, - + /* Some custom categories */ CUSTOM_CATEGORY_MINING = 99, CUSTOM_CATEGORY_MALWARE = 100, CUSTOM_CATEGORY_ADVERTISEMENT = 101, CUSTOM_CATEGORY_BANNED_SITE = 102, CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103, + CUSTOM_CATEGORY_ALLOWED_SITE = 104, /* IMPORTANT @@ -817,7 +819,7 @@ typedef enum { in ndpi_main.c */ - + NDPI_PROTOCOL_NUM_CATEGORIES /* NOTE: Keep this as last member Unused as value but useful to getting the number of elements @@ -832,7 +834,7 @@ typedef enum { ndpi_pref_disable_metadata_export, ndpi_pref_enable_category_substring_match } ndpi_detection_preference; - + /* ntop extensions */ typedef struct ndpi_proto_defaults { char *protoName; @@ -959,7 +961,7 @@ struct ndpi_detection_module_struct { void *ipAddresses, *ipAddresses_shadow; /* Patricia */ u_int8_t categories_loaded; } custom_categories; - + /* IP-based protocol detection */ void *protocols_ptree; @@ -1013,12 +1015,18 @@ struct ndpi_detection_module_struct { disable_metadata_export:1, /* No metadata is exported */ enable_category_substring_match:1 /* Default is perfect match */ ; - + void *hyperscan; /* Intel Hyperscan */ }; - + #endif /* NDPI_LIB_COMPILATION */ +typedef enum { + ndpi_cipher_safe = NDPI_CIPHER_SAFE, + ndpi_cipher_weak = NDPI_CIPHER_WEAK, + ndpi_cipher_insecure = NDPI_CIPHER_INSECURE +} ndpi_cipher_weakness; + struct ndpi_flow_struct { u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; #ifndef WIN32 @@ -1039,7 +1047,7 @@ struct ndpi_flow_struct { u_int8_t max_extra_packets_to_check; u_int8_t num_extra_packets_checked; u_int8_t num_processed_pkts; /* <= WARNING it can wrap but we do expect people to giveup earlier */ - + int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); /* @@ -1089,15 +1097,19 @@ struct ndpi_flow_struct { struct { struct { + u_int16_t ssl_version; char client_certificate[64], server_certificate[64], server_organization[64]; + char ja3_client[33], ja3_server[33]; + u_int16_t server_cipher; + ndpi_cipher_weakness server_unsafe_cipher; } ssl; - + struct { u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; } stun; /* We can have STUN over SSL thus they need to live together */ - } stun_ssl; + } stun_ssl; struct { char client_signature[48], server_signature[48]; @@ -1135,10 +1147,10 @@ struct ndpi_flow_struct { NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask; ndpi_protocol_category_t category; - + /* NDPI_PROTOCOL_REDIS */ u_int8_t redis_s2d_first_char, redis_d2s_first_char; - + u_int16_t packet_counter; // can be 0 - 65000 u_int16_t packet_direction_counter[2]; u_int16_t byte_counter[2]; @@ -1154,7 +1166,7 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_HTTP */ u_int8_t http_detected:1; u_int16_t http_upper_protocol, http_lower_protocol; - + /* NDPI_PROTOCOL_RTSP */ u_int8_t rtsprdt_stage:2, rtsp_control_flow:1; @@ -1169,7 +1181,7 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_THUNDER */ u_int8_t thunder_stage:2; // 0 - 3 - + /* NDPI_PROTOCOL_OSCAR */ u_int8_t oscar_ssl_voice_stage:3, oscar_video_voice:1; diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index cadd65ddd..65934502d 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -58,6 +58,9 @@ clean: distclean: clean /bin/rm -f Makefile +cppcheck: + cppcheck --template='{file}:{line}:{severity}:{message}' --quiet --enable=all --force -I ../include *.c protocols/*.c + install: $(NDPI_LIBS) mkdir -p $(DESTDIR)$(libdir) cp $(NDPI_LIBS) $(DESTDIR)$(libdir)/ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index a060182d8..537b41b5e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -79,34 +79,295 @@ static ndpi_network host_protocol_list[] = { /* WhatsApp Inc. + List of the WhatsApp server IP addresses and ranges (https://developers.facebook.com/docs/whatsapp/network-debugging/ Dec 21, 2018) */ - { 0x1F0D4B00 /* 31.13.75.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, - { 0x1F0D5600 /* 31.13.86.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, - { 0x3216C6CC /* 50.22.198.204/30 */, 30, NDPI_PROTOCOL_WHATSAPP }, - { 0x4B7E2720 /* 75.126.39.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x6CA8AE00 /* 108.168.174.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x6CA8B0C0 /* 108.168.176.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0x6CA8B100 /* 108.168.177.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, { 0x6CA8B460 /* 108.168.180.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0x9E553A00 /* 158.85.58.0/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, - { 0x9E55FE40 /* 158.85.254.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xA92C5360 /* 169.44.82.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x6CA8FE41 /* 108.168.254.65/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x6CA8FFE0 /* 108.168.255.224/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x6CA8FFE3 /* 108.168.255.227/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00135 /* 157.240.1.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00136 /* 157.240.1.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00A35 /* 157.240.10.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00A36 /* 157.240.10.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00B35 /* 157.240.11.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00B36 /* 157.240.11.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00C35 /* 157.240.12.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00C36 /* 157.240.12.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00D36 /* 157.240.13.54/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00E34 /* 157.240.14.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00F35 /* 157.240.15.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00F36 /* 157.240.15.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01034 /* 157.240.16.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01234 /* 157.240.18.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01335 /* 157.240.19.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01336 /* 157.240.19.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00235 /* 157.240.2.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00236 /* 157.240.2.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01434 /* 157.240.20.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01534 /* 157.240.21.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01635 /* 157.240.22.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01636 /* 157.240.22.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01735 /* 157.240.23.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01736 /* 157.240.23.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01D35 /* 157.240.29.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01D36 /* 157.240.29.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00635 /* 157.240.6.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00636 /* 157.240.6.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00735 /* 157.240.7.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00736 /* 157.240.7.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00835 /* 157.240.8.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00836 /* 157.240.8.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00935 /* 157.240.9.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00936 /* 157.240.9.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E550060 /* 158.85.0.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E55E0A0 /* 158.85.224.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E55E920 /* 158.85.233.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E55F980 /* 158.85.249.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E55FE40 /* 158.85.254.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E552E80 /* 158.85.46.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E5530E0 /* 158.85.48.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E5505C0 /* 158.85.5.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E553A00 /* 158.85.58.0/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0x9E553DC0 /* 158.85.61.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92CA700 /* 169.44.167.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C2400 /* 169.44.36.0/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C3940 /* 169.44.57.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C3A40 /* 169.44.58.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5000 /* 169.44.80.0/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5280 /* 169.44.82.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C52C0 /* 169.44.82.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5260 /* 169.44.82.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5300 /* 169.44.83.0/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5380 /* 169.44.83.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C53C0 /* 169.44.83.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5360 /* 169.44.83.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5400 /* 169.44.84.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C5540 /* 169.44.85.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92C57A0 /* 169.44.87.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DA9C0 /* 169.45.169.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DB660 /* 169.45.182.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DD240 /* 169.45.210.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, { 0xA92DD6E0 /* 169.45.214.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, { 0xA92DDBE0 /* 169.45.219.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xA92DF860 /* 169.45.248.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xA92F05C0 /* 169.47.5.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, - { 0xA92F2320 /* 169.47.35.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xA9373CAA /* 169.55.60.170/32 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xA93C4F00 /* 169.60.79.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, - { 0xA93F4C11 /* 169.63.76.0/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, - { 0xA93F4940 /* 169.63.73.64/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DEDC0 /* 169.45.237.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DEE20 /* 169.45.238.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DF2C0 /* 169.45.242.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DF8A0 /* 169.45.248.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92DF860 /* 169.45.248.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92D4720 /* 169.45.71.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92D4760 /* 169.45.71.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92D5780 /* 169.45.87.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92E6F90 /* 169.46.111.144/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92E34E0 /* 169.46.52.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F8260 /* 169.47.130.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F9100 /* 169.47.145.0/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F9980 /* 169.47.153.128/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92FC0C0 /* 169.47.192.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92FC280 /* 169.47.194.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92FC680 /* 169.47.198.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92FD4A0 /* 169.47.212.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2180 /* 169.47.33.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2320 /* 169.47.35.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2580 /* 169.47.37.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2880 /* 169.47.40.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2AA0 /* 169.47.42.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2AC0 /* 169.47.42.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2A60 /* 169.47.42.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F2FA0 /* 169.47.47.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F05C0 /* 169.47.5.192/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA92F0640 /* 169.47.6.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9307220 /* 169.48.114.32/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93079C0 /* 169.48.121.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9307A40 /* 169.48.122.64/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA930D2B0 /* 169.48.210.176/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0xA930D2E0 /* 169.48.210.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA930D340 /* 169.48.211.64/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA930D480 /* 169.48.212.128/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA935FA80 /* 169.53.250.128/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA935FC40 /* 169.53.252.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA935FF40 /* 169.53.255.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9351D80 /* 169.53.29.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9353020 /* 169.53.48.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93547E0 /* 169.53.71.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9355140 /* 169.53.81.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA936C1A0 /* 169.54.193.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93602A0 /* 169.54.2.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA936D200 /* 169.54.210.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA936DE80 /* 169.54.222.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9362CE0 /* 169.54.44.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9363320 /* 169.54.51.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93637C0 /* 169.54.55.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, { 0xA93764A0 /* 169.55.100.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9377E40 /* 169.55.126.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA937D260 /* 169.55.210.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, { 0xA937EBA0 /* 169.55.235.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9373C94 /* 169.55.60.148/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9373CAA /* 169.55.60.170/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93743E0 /* 169.55.67.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9374580 /* 169.55.69.128/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9374A20 /* 169.55.74.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA9374B60 /* 169.55.75.96/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C8180 /* 169.60.129.128/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C9300 /* 169.60.147.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93CC540 /* 169.60.197.64/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C4A70 /* 169.60.74.112/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C4A80 /* 169.60.74.128/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C4A20 /* 169.60.74.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C4B80 /* 169.60.75.128/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93C4F00 /* 169.60.79.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93D6500 /* 169.61.101.0/24 */, 24, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93D5190 /* 169.61.81.144/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93D51E0 /* 169.61.81.224/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93D5240 /* 169.61.82.64/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93D5480 /* 169.61.84.128/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93F4080 /* 169.63.64.128/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93F4920 /* 169.63.73.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93F4940 /* 169.63.73.64/26 */, 26, NDPI_PROTOCOL_WHATSAPP }, + { 0xA93F4C00 /* 169.63.76.0/25 */, 25, NDPI_PROTOCOL_WHATSAPP }, { 0xADC0A220 /* 173.192.162.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xADC0DB80 /* 173.192.219.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xADC0DEA0 /* 173.192.222.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xADC1E680 /* 173.193.230.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xADC1E6C0 /* 173.193.230.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xADC1EF00 /* 173.193.239.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xAE24D080 /* 174.36.208.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xAE24D220 /* 174.36.210.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xAE24FBC0 /* 174.36.251.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xAE25F340 /* 174.37.243.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xAE25FB00 /* 174.37.251.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC030 /* 179.60.192.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC031 /* 179.60.192.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC033 /* 179.60.192.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC134 /* 179.60.193.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC235 /* 179.60.194.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC236 /* 179.60.194.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC331 /* 179.60.195.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC333 /* 179.60.195.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, { 0xB8AD8840 /* 184.173.136.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xB93CDA35 /* 185.60.218.53/32 */, 27, NDPI_PROTOCOL_WHATSAPP }, - { 0xC60BFB20 /* 198.11.251.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xB8AD9320 /* 184.173.147.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xB8ADA140 /* 184.173.161.64/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB8ADAD74 /* 184.173.173.116/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB8ADB320 /* 184.173.179.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CD835 /* 185.60.216.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CD836 /* 185.60.216.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CD935 /* 185.60.217.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CD936 /* 185.60.217.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CDA35 /* 185.60.218.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CDA36 /* 185.60.218.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CDB35 /* 185.60.219.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB93CDB36 /* 185.60.219.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xC09BD4C0 /* 192.155.212.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xC60BC1B6 /* 198.11.193.182/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0xC60BFB20 /* 198.11.251.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xC6175000 /* 198.23.80.0/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, { 0xD02B73C0 /* 208.43.115.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0xD02B754F /* 208.43.117.79/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, { 0xD02B7A80 /* 208.43.122.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4033 /* 31.13.64.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4035 /* 31.13.64.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4131 /* 31.13.65.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4132 /* 31.13.65.50/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4334 /* 31.13.67.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4430 /* 31.13.68.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4434 /* 31.13.68.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D45F0 /* 31.13.69.240/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4631 /* 31.13.70.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4632 /* 31.13.70.50/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4731 /* 31.13.71.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4732 /* 31.13.71.50/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4830 /* 31.13.72.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4834 /* 31.13.72.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4934 /* 31.13.73.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4A34 /* 31.13.74.52/31 */, 31, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4B30 /* 31.13.75.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4B34 /* 31.13.75.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4C51 /* 31.13.76.81/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4C52 /* 31.13.76.82/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4E35 /* 31.13.78.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4E37 /* 31.13.78.55/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5030 /* 31.13.80.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5035 /* 31.13.80.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5130 /* 31.13.81.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5135 /* 31.13.81.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5233 /* 31.13.82.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5237 /* 31.13.82.55/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5331 /* 31.13.83.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5333 /* 31.13.83.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5431 /* 31.13.84.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5433 /* 31.13.84.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5531 /* 31.13.85.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5533 /* 31.13.85.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5631 /* 31.13.86.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5633 /* 31.13.86.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5730 /* 31.13.87.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5733 /* 31.13.87.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5831 /* 31.13.88.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5834 /* 31.13.88.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5935 /* 31.13.89.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5936 /* 31.13.89.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5A31 /* 31.13.90.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5A33 /* 31.13.90.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5B31 /* 31.13.91.49/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5B33 /* 31.13.91.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5C30 /* 31.13.92.48/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5C34 /* 31.13.92.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5D35 /* 31.13.93.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5D36 /* 31.13.93.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5E34 /* 31.13.94.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5E36 /* 31.13.94.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5F32 /* 31.13.95.50/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D5F3F /* 31.13.95.63/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x3216C6CC /* 50.22.198.204/30 */, 30, NDPI_PROTOCOL_WHATSAPP }, + { 0x3216D280 /* 50.22.210.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x3216D220 /* 50.22.210.32/30 */, 30, NDPI_PROTOCOL_WHATSAPP }, + { 0x3216E140 /* 50.22.225.64/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x3216EBF8 /* 50.22.235.248/30 */, 30, NDPI_PROTOCOL_WHATSAPP }, + { 0x3216F0A0 /* 50.22.240.160/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x32175A80 /* 50.23.90.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x32613980 /* 50.97.57.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E0C70 /* 75.126.12.112/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E7B40 /* 75.126.123.64/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E8AA0 /* 75.126.138.160/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E8D50 /* 75.126.141.80/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E1430 /* 75.126.20.48/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E2720 /* 75.126.39.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP }, + { 0x4B7E51C0 /* 75.126.81.192/28 */, 28, NDPI_PROTOCOL_WHATSAPP }, + { 0x66846036 /* 102.132.96.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x66846136 /* 102.132.97.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00D36 /* 157.240.13.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00E34 /* 157.240.14.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01034 /* 157.240.16.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01234 /* 157.240.18.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF0C034 /* 157.240.192.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF0C132 /* 157.240.193.50/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF0C236 /* 157.240.194.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01434 /* 157.240.20.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01533 /* 157.240.21.51/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01534 /* 157.240.21.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01836 /* 157.240.24.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01936 /* 157.240.25.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01A36 /* 157.240.26.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01B36 /* 157.240.27.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF00336 /* 157.240.3.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x9DF01E36 /* 157.240.30.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0xB33CC134 /* 179.60.193.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4238 /* 31.13.66.56/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4334 /* 31.13.67.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4934 /* 31.13.73.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4A34 /* 31.13.74.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + { 0x1F0D4F35 /* 31.13.79.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, /* Files */ - { 0xB93CD835 /* 185.60.216.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CD835 /* 185.60.216.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CD836 /* 185.60.216.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CD935 /* 185.60.217.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CD936 /* 185.60.217.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CDA35 /* 185.60.218.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CDA36 /* 185.60.218.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CDB35 /* 185.60.219.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, + { 0xB93CDB36 /* 185.60.219.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, /* WeChat @@ -661,7 +922,12 @@ static ndpi_network host_protocol_list[] = { { 0x022E8A340 /* 34.232.163.64/28 */, 28, NDPI_PROTOCOL_VIBER }, { 0x022F67200 /* 34.246.114.0/23 */, 23, NDPI_PROTOCOL_VIBER }, { 0x3400FC00 /* 52.0.252.0/22 */, 22, NDPI_PROTOCOL_VIBER }, + { 0x3403A746 /* 52.3.167.70/32 */, 32, NDPI_PROTOCOL_VIBER }, + { 0x34162CEB /* 52.22.44.235/32 */, 32, NDPI_PROTOCOL_VIBER }, + { 0x34165F0F /* 52.22.95.15/32 */, 32, NDPI_PROTOCOL_VIBER }, { 0x3640BFF0 /* 54.64.191.240/28 */, 28, NDPI_PROTOCOL_VIBER }, + { 0x3655545D /* 54.85.84.93/32 */, 32, NDPI_PROTOCOL_VIBER }, + { 0x3655565D /* 54.85.86.93/32 */, 32, NDPI_PROTOCOL_VIBER }, { 0x36A5FFD0 /* 54.165.255.208/28 */, 28, NDPI_PROTOCOL_VIBER }, { 0x36A5FFE0 /* 54.165.255.224/27 */, 27, NDPI_PROTOCOL_VIBER }, { 0x36DBBFA0 /* 54.219.191.160/28 */, 28, NDPI_PROTOCOL_VIBER }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e18c220a5..7a954a710 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -423,7 +423,8 @@ static const char* categories[] = { "Malware", "Advertisement", "Banned_Site", - "Site_Unavailable" + "Site_Unavailable", + "Allowed_Site", }; /* ****************************************** */ @@ -545,7 +546,7 @@ ndpi_port_range * ndpi_build_default_ports_range(ndpi_port_range *ports, ports[i].port_low = portB_low, ports[i].port_high = portB_high; i++; ports[i].port_low = portC_low, ports[i].port_high = portC_high; i++; ports[i].port_low = portD_low, ports[i].port_high = portD_high; i++; - ports[i].port_low = portE_low, ports[i].port_high = portE_high; i++; + ports[i].port_low = portE_low, ports[i].port_high = portE_high; return(ports); } @@ -564,7 +565,7 @@ ndpi_port_range * ndpi_build_default_ports(ndpi_port_range *ports, ports[i].port_low = portB, ports[i].port_high = portB; i++; ports[i].port_low = portC, ports[i].port_high = portC; i++; ports[i].port_low = portD, ports[i].port_high = portD; i++; - ports[i].port_low = portE, ports[i].port_high = portE; i++; + ports[i].port_low = portE, ports[i].port_high = portE; return(ports); } @@ -718,8 +719,7 @@ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod, ndpi_proto_defaults_t *def, u_int8_t customUserProto, ndpi_default_ports_tree_node_t **root, - const char *_func, int _line) -{ + const char *_func, int _line) { ndpi_default_ports_tree_node_t *ret; u_int16_t port; @@ -999,6 +999,7 @@ static void free_hyperscan_memory(struct hs *h) { if(h) { hs_free_scratch(h->scratch); hs_free_database(h->database); + free(h); } } @@ -2174,16 +2175,6 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str /* ******************************************* */ -/* u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host /\* network byte order *\/) { */ -/* struct in_addr pin; */ - -/* pin.s_addr = host; */ - -/* return(ndpi_network_ptree_match(ndpi_struct, &pin)); */ -/* } */ - -/* ******************************************* */ - #if 0 static u_int8_t tor_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) { return((ndpi_network_ptree_match(ndpi_struct, pin) == NDPI_PROTOCOL_TOR) ? 1 : 0); @@ -2380,7 +2371,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { for(i=0; i<NUM_CUSTOM_CATEGORIES; i++) snprintf(ndpi_str->custom_category_labels[i], - CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u", i+1); + CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u", (unsigned int)(i+1)); return ndpi_str; } @@ -2698,8 +2689,8 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_flow_struct *flow, u_int8_t proto, u_int16_t sport, u_int16_t dport, u_int8_t *user_defined_proto) { - *user_defined_proto = 0; /* Default */ + if(sport && dport) { ndpi_default_ports_tree_node_t *found = ndpi_get_guessed_protocol_id(ndpi_struct, proto, sport, dport); @@ -2895,12 +2886,18 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod, Format: <tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto> + Subprotocols Format: + host:"<value>",host:"<value>",.....@<subproto> + + IP based Subprotocols Format (<value> is IP or CIDR): + ip:<value>,ip:<value>,.....@<subproto> + Example: tcp:80,tcp:3128@HTTP udp:139@NETBIOS */ -int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char* path) { +int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, const char* path) { FILE *fd; char *buffer, *old_buffer; int chunk_len = 512, buffer_len = chunk_len, old_buffer_len; @@ -2909,14 +2906,14 @@ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char fd = fopen(path, "r"); if(fd == NULL) { - NDPI_LOG_ERR(ndpi_mod, "Unable to open file %s [%s]", path, strerror(errno)); + NDPI_LOG_ERR(ndpi_mod, "Unable to open file %s [%s]\n", path, strerror(errno)); goto error; } buffer = ndpi_malloc(buffer_len); if(buffer == NULL) { - NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure"); + NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure\n"); goto close_fd; } @@ -2933,7 +2930,7 @@ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char buffer = ndpi_realloc(old_buffer, old_buffer_len, buffer_len); if(buffer == NULL) { - NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure"); + NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure\n"); free(old_buffer); goto close_fd; } @@ -3023,8 +3020,7 @@ void ndpi_set_bitmask_protocol_detection(char * label, /* ******************************************************************** */ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, - const NDPI_PROTOCOL_BITMASK * dbm) -{ + const NDPI_PROTOCOL_BITMASK * dbm) { NDPI_PROTOCOL_BITMASK detection_bitmask_local; NDPI_PROTOCOL_BITMASK *detection_bitmask = &detection_bitmask_local; u_int32_t a = 0; @@ -3861,8 +3857,6 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, const struct ndpi_tcphdr *tcph = packet->tcp; const struct ndpi_udphdr *udph = flow->packet.udp; - u_int8_t proxy_enabled = 0; - packet->tcp_retransmission = 0, packet->packet_direction = 0; if(ndpi_struct->direction_detect_disable) { @@ -3907,7 +3901,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, flow->l4.tcp.seen_ack = 1; } if((flow->next_tcp_seq_nr[0] == 0 && flow->next_tcp_seq_nr[1] == 0) - || (proxy_enabled && (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0))) { + || (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0)) { /* initialize tcp sequence counters */ /* the ack flag needs to be set to get valid sequence numbers from the other * direction. Usually it will catch the second packet syn+ack but it works @@ -3919,9 +3913,8 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, if(tcph->ack != 0) { flow->next_tcp_seq_nr[flow->packet.packet_direction] = ntohl(tcph->seq) + (tcph->syn ? 1 : packet->payload_packet_len); - if(!proxy_enabled) { - flow->next_tcp_seq_nr[1 -flow->packet.packet_direction] = ntohl(tcph->ack_seq); - } + + flow->next_tcp_seq_nr[1 -flow->packet.packet_direction] = ntohl(tcph->ack_seq); } } else if(packet->payload_packet_len > 0) { /* check tcp sequence counters */ @@ -4185,7 +4178,7 @@ static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module ret.app_protocol = ret.master_protocol; ndpi_fill_protocol_category(ndpi_struct, flow, &ret); - + ndpi_int_change_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); return(ret); @@ -4279,6 +4272,20 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st && (flow->protos.stun_ssl.stun.num_processed_pkts > 0)) guessed_protocol_id = NDPI_PROTOCOL_STUN; + + if(flow->host_server_name[0] != '\0') { + ndpi_protocol_match_result ret_match; + + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + &ret_match, + NDPI_PROTOCOL_DNS); + + if(ret_match.protocol_id != NDPI_PROTOCOL_UNKNOWN) + guessed_host_protocol_id = ret_match.protocol_id; + } + ndpi_int_change_protocol(ndpi_struct, flow, guessed_host_protocol_id, guessed_protocol_id); @@ -4433,18 +4440,8 @@ int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct struct hs_list *h = (struct hs_list*)malloc(sizeof(struct hs_list)); if(h) { - char tmp[256]; int i, j; - for(i=0, j=0; (j<sizeof(tmp)) && (name[i] != '\0'); i++) { - if(name[i] == '.') - tmp[j++] = '\\'; - - tmp[j++] = name[i]; - } - - tmp[j] = '\0'; - h->expression = ndpi_strdup(name), h->id = (unsigned int)category; if(h->expression == NULL) { free(h); @@ -4507,7 +4504,8 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str) ndpi_str->custom_categories.hostnames = (struct hs*)malloc(sizeof(struct hs)); if(ndpi_str->custom_categories.hostnames == NULL) { - free(expressions), free(ids); + free(expressions); + free(ids); return(-1); /* Failed */ } @@ -4599,9 +4597,9 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc ndpi_protocol *ret) { if(ndpi_struct->custom_categories.categories_loaded) { if(flow->guessed_header_category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) { - flow->category = flow->guessed_header_category; + flow->category = ret->category = flow->guessed_header_category; return; - } + } if(flow->host_server_name[0] != '\0') { unsigned long id; @@ -4652,14 +4650,29 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct flow->num_processed_pkts++; if(flow->server_id == NULL) flow->server_id = dst; /* Default */ - if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) - goto ret_protocols; + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { + /* + With SSL we might want to dissect further packets to decode + the certificate type for instance + */ + if(flow->check_extra_packets + /* + && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) + || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_SSL)) + */ + ) { + ndpi_process_extra_packet(ndpi_struct, flow, packet, packetlen, current_tick_l, src, dst); + ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + return(ret); + } else + goto ret_protocols; + } /* need at least 20 bytes for ip header */ if(packetlen < 20) { /* reset protocol which is normally done in init_packet_header */ ndpi_int_reset_packet_protocol(&flow->packet); - return(ret); + goto invalidate_ptr; } flow->packet.tick_timestamp_l = current_tick_l; @@ -4670,7 +4683,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct /* we are interested in ipv4 packet */ if(ndpi_init_packet_header(ndpi_struct, flow, packetlen) != 0) - return(ret); + goto invalidate_ptr; /* detect traffic for tcp or udp only */ flow->src = src, flow->dst = dst; @@ -4731,19 +4744,19 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct flow->guessed_host_protocol_id = ndpi_guess_host_protocol_id(ndpi_struct, flow); if(ndpi_struct->custom_categories.categories_loaded && flow->packet.iph) { - ndpi_protocol ret; - + ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; + ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, &ret); flow->guessed_header_category = ret.category; } else flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; - + if(flow->guessed_protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS-1)) { /* This is a custom protocol and it has priority over everything else */ ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_host_protocol_id; ndpi_fill_protocol_category(ndpi_struct, flow, &ret); - return(ret); + goto invalidate_ptr; } if(user_defined_proto && flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { @@ -4754,7 +4767,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } ndpi_fill_protocol_category(ndpi_struct, flow, &ret); - return(ret); + goto invalidate_ptr; } } else { /* guess host protocol */ @@ -4784,8 +4797,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ndpi_check_flow_func(ndpi_struct, flow, &ndpi_selection_packet); ndpi_fill_protocol_category(ndpi_struct, flow, &ret); - - return(ret); + goto invalidate_ptr; } ndpi_check_flow_func(ndpi_struct, flow, &ndpi_selection_packet); @@ -4797,10 +4809,14 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(a != NDPI_PROTOCOL_UNKNOWN) { int i; - for(i=0; (i<sizeof(flow->host_server_name)) && (flow->host_server_name[i] != '\0'); i++) - flow->host_server_name[i] = tolower(flow->host_server_name[i]); - - flow->host_server_name[i] ='\0'; + for(i=0; i<sizeof(flow->host_server_name); i++) { + if(flow->host_server_name[i] != '\0') + flow->host_server_name[i] = tolower(flow->host_server_name[i]); + else { + flow->host_server_name[i] ='\0'; + break; + } + } } ret_protocols: @@ -4831,6 +4847,13 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret = ndpi_detection_giveup(ndpi_struct, flow, 0); } + invalidate_ptr: + /* + Invalidate packet memory to avoid accessing the pointers below + when the packet is no longer accessible + */ + flow->packet.iph = NULL, flow->packet.tcp = NULL, flow->packet.udp = NULL; + return(ret); } @@ -5030,7 +5053,8 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc packet->line[packet->parsed_lines].ptr = packet->payload; packet->line[packet->parsed_lines].len = 0; - for(a = 0; a < packet->payload_packet_len; a++) { + for(a = 0; (a < packet->payload_packet_len) + && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) { if((a + 1) == packet->payload_packet_len) return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */ @@ -5691,8 +5715,8 @@ char *ndpi_get_packet_dst_ip_string(struct ndpi_detection_module_struct *ndpi_st /* ****************************************************** */ u_int16_t ntohs_ndpi_bytestream_to_number(const u_int8_t * str, - u_int16_t max_chars_to_read, u_int16_t * bytes_read) -{ + u_int16_t max_chars_to_read, + u_int16_t * bytes_read) { u_int16_t val = ndpi_bytestream_to_number(str, max_chars_to_read, bytes_read); return ntohs(val); } @@ -6107,7 +6131,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str u_int16_t master_protocol_id, ndpi_protocol_match_result *ret_match, u_int8_t is_host_match) { - int matching_protocol_id = NDPI_PROTOCOL_UNKNOWN; + int matching_protocol_id; struct ndpi_packet_struct *packet = &flow->packet; #ifndef HAVE_HYPERSCAN @@ -6117,6 +6141,8 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str #else struct hs *hs = (struct hs*)ndpi_struct->hyperscan; hs_error_t status; + + matching_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* TODO HYPERSCAN In case of match fill up ret_match and set flow protocol + category @@ -6378,3 +6404,54 @@ int ndpi_flowv6_flow_hash(u_int8_t l4_proto, struct ndpi_in6_addr *src_ip, struc return(0); /* OK */ } + +/* **************************************** */ + +/* **************************************** */ + +struct cipher_weakness { + u_int16_t cipher_id; + ndpi_cipher_weakness weakness_type; +}; + +static struct cipher_weakness safe_ssl_ciphers[] = { + /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */ + /* INSECURE */ + { 0xc011, NDPI_CIPHER_INSECURE }, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */ + { 0x0005, NDPI_CIPHER_INSECURE }, /* TLS_RSA_WITH_RC4_128_SHA */ + { 0x0004, NDPI_CIPHER_INSECURE }, /* TLS_RSA_WITH_RC4_128_MD5 */ + /* WEAK */ + { 0x009d, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */ + { 0x003d, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */ + { 0x0035, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_CBC_SHA */ + { 0x0084, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */ + { 0x009c, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */ + { 0x003c, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */ + { 0x002f, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_CBC_SHA */ + { 0x0041, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */ + { 0xc012, NDPI_CIPHER_WEAK }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */ + { 0x0016, NDPI_CIPHER_WEAK }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ + { 0x000a, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */ + { 0x0096, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_SEED_CBC_SHA */ + { 0x0007, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_IDEA_CBC_SHA */ + + { 0x0, NDPI_CIPHER_SAFE } /* END */ +}; + +u_int8_t ndpi_is_safe_ssl_cipher(u_int16_t cipher) { + u_int i; + + for(i=0; safe_ssl_ciphers[i].cipher_id != 0; i++) { + if(safe_ssl_ciphers[i].cipher_id == cipher) { +#ifdef CERTIFICATE_DEBUG + printf("%s %s(%04X / %u)\n", + (safe_ssl_ciphers[i].weakness_type == NDPI_CIPHER_WEAK) ? "WEAK" : "INSECURE", + __FUNCTION__, cipher, cipher); +#endif + + return(safe_ssl_ciphers[i].weakness_type); + } + } + + return(NDPI_CIPHER_SAFE); /* We're safe */ +} diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index 5992c1b28..ea06a6348 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -204,8 +204,7 @@ void cb_data(bt_parse_data_cb_t *cbd,int *ret) { if(cbd->t == 0) return; if(cbd->t == 1) { - - DEBUG_TRACE(printf("%s %lld\n",cbd->buf,cbd->v.i)); + DEBUG_TRACE(printf("%s %lld\n",cbd->buf, (long long)cbd->v.i)); if(STREQ(cbd->buf,"a.port")) { p->a.port = (u_int16_t)(cbd->v.i & 0xffff); @@ -234,7 +233,7 @@ void cb_data(bt_parse_data_cb_t *cbd,int *ret) { p->h_mint = 1; return; } - DEBUG_TRACE(printf("UNKNOWN %s %lld\n",cbd->buf,cbd->v.i)); + DEBUG_TRACE(printf("UNKNOWN %s %lld\n",cbd->buf, (long long)cbd->v.i)); return; } if(cbd->t != 2) { diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index cf5061bbe..c99ab5fc1 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -130,7 +130,7 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, if(h->version == 1) { if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) { if(h->tkl < 8) { - if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) || + if((/* h->code >= 0 && */ h->code <= 5) || (h->code >= 65 && h->code <= 69) || (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c index 7f4479419..f316f96b7 100644 --- a/src/lib/protocols/csgo.c +++ b/src/lib/protocols/csgo.c @@ -30,6 +30,11 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n struct ndpi_packet_struct* packet = &flow->packet; if (packet->udp != NULL) { + if (packet->payload_packet_len < sizeof(uint32_t)) { + NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n"); + return; + } + uint32_t w = htonl(get_u_int32_t(packet->payload, 0)); NDPI_LOG_DBG2(ndpi_struct, "CSGO: word %08x\n", w); diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 5088685e4..19582724d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -318,7 +318,6 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct struct ndpi_id_struct *dst = flow->dst; int pos, count = 0; - if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { if ((u_int32_t) (packet->tick_timestamp - diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 1c2593feb..dc97f3fe7 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -190,11 +190,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd flow->protos.dns.rsp_type = rsp_type; /* here x points to the response "class" field */ - if((x+12) < flow->packet.payload_packet_len) { + if((x+12) <= flow->packet.payload_packet_len) { x += 6; data_len = get16(&x, flow->packet.payload); - if(((x + data_len) < flow->packet.payload_packet_len) + if(((x + data_len) <= flow->packet.payload_packet_len) && (((rsp_type == 0x1) && (data_len == 4)) /* A */ #ifdef NDPI_DETECTION_SUPPORT_IPV6 || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index 39bb96ff2..895bb0164 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -30,11 +30,9 @@ #define DB_LSP_PORT 17500 - static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) -{ + u_int8_t due_to_correlation) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN); } @@ -51,8 +49,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(packet->udp->dest == dropbox_port) { if(packet->udp->source == dropbox_port) { if(payload_len > 10) { - if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { - + if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; @@ -60,8 +57,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, } } else { if(payload_len > 10) { - if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { - + if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c index 547bafc5f..ca5abebad 100644 --- a/src/lib/protocols/edonkey.c +++ b/src/lib/protocols/edonkey.c @@ -177,7 +177,6 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->edonkey_stage = packet->packet_direction + 1; } - } else { NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage); @@ -187,7 +186,7 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, } /* This is a packet in another direction. Check if we find the proper response. */ - if((payload_len == 0) || (ndpi_edonkey_payload_check(packet->payload, payload_len))) { + if(ndpi_edonkey_payload_check(packet->payload, payload_len)) { NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n"); ndpi_int_edonkey_add_connection(ndpi_struct, flow); } else { diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 7c646c363..3aaf6f97e 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -62,9 +62,11 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd ; } else return 0; + + return 1; } - return 1; + return 0; } static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 5bc2980cc..75a8e534b 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -68,7 +68,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - u_int16_t c; NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 33ef9e2ed..e715dd499 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -184,6 +184,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ case 'P': switch(flow->packet.http_method.ptr[1]) { + case 'A': flow->http.method = NDPI_HTTP_METHOD_PATCH; break; case 'O': flow->http.method = NDPI_HTTP_METHOD_POST; break; case 'U': flow->http.method = NDPI_HTTP_METHOD_PUT; break; } @@ -414,6 +415,7 @@ static struct l_string { STATIC_STRING_L("OPTIONS "), STATIC_STRING_L("HEAD "), STATIC_STRING_L("PUT "), + STATIC_STRING_L("PATCH "), STATIC_STRING_L("DELETE "), STATIC_STRING_L("CONNECT "), STATIC_STRING_L("PROPFIND "), diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 515d5b572..0bb87b88a 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -64,6 +64,8 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s goto icecast_exclude; } + if(flow == NULL) return; + if((packet->packet_direction == flow->setup_packet_direction) && (flow->packet_counter < 10)) { return; diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index f7fbd337c..fdc47d15c 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -58,13 +58,16 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct NDPI_LOG_DBG(ndpi_struct, "search mail_smtp\n"); - if (packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { + if((packet->payload_packet_len > 2) + && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET) + && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) + ) { u_int8_t a; u_int8_t bit_count = 0; NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow,packet); - for (a = 0; a < packet->parsed_lines; a++) { + for (a = 0; a < packet->parsed_lines; a++) { // expected server responses if (packet->line[a].len >= 3) { if (memcmp(packet->line[a].ptr, "220", 3) == 0) { diff --git a/src/lib/protocols/memcached.c b/src/lib/protocols/memcached.c index e9deb5cc9..44a8b0858 100644 --- a/src/lib/protocols/memcached.c +++ b/src/lib/protocols/memcached.c @@ -89,7 +89,7 @@ #define MEMCACHED_MIN_MATCH 2 /* Minimum number of command/responses required */ -#define MEMCACHED_MATCH(cr) memcmp(offset, cr, cr ## _LEN) +#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) static void ndpi_int_memcached_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -105,6 +105,7 @@ void ndpi_search_memcached( { struct ndpi_packet_struct *packet = &flow->packet; const u_int8_t *offset = packet->payload; + const u_int16_t length = packet->payload_packet_len; u_int8_t *matches; NDPI_LOG_DBG(ndpi_struct, "search memcached\n"); diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index d1602a2fe..1306c381d 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -29,42 +29,46 @@ #include "ndpi_api.h" - -static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); -} - -void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search MySQL\n"); if(packet->tcp) { - if (packet->payload_packet_len > 38 //min length - && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length - && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length - && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet - && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 - && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 - && get_u_int8_t(packet->payload, 6) == 0x2e //dot - ) { + if(packet->payload_packet_len > 38 //min length + && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length + && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length + && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet + && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 + && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 + && get_u_int8_t(packet->payload, 6) == 0x2e //dot + ) { +#if 0 + /* Old code */ u_int32_t a; - for (a = 7; a + 31 < packet->payload_packet_len; a++) { - if (packet->payload[a] == 0x00) { - if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte - && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more - && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes - && get_u_int8_t(packet->payload, a + 31) == 0x0) { + + for(a = 7; a + 31 < packet->payload_packet_len; a++) { + if(packet->payload[a] == 0x00) { + if(get_u_int8_t(packet->payload, a + 13) == 0x00 // filler byte + && get_u_int64_t(packet->payload, a + 19) == 0x0ULL // 13 more + && get_u_int32_t(packet->payload, a + 27) == 0x0 // filler bytes + && get_u_int8_t(packet->payload, a + 31) == 0x0) { NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); - ndpi_int_mysql_add_connection(ndpi_struct, flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); return; } + break; } } +#else + if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22], + "mysql_", 6) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); + return; + } +#endif } } diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 1436b2cec..2583dbfdf 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -123,6 +123,28 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct return; } + if ((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0) + && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n"); + ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + return; + } + + if ((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0) + && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n"); + ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + return; + } + + /* SIP message extension RFC 3248 */ + if ((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0) + && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n"); + ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + return; + } + /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */ if ((memcmp(packet_payload, "OPTIONS ", 8) == 0 || memcmp(packet_payload, "options ", 8) == 0) diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 05988a8d4..eee31e94b 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -27,7 +27,7 @@ #include "ndpi_api.h" -// #define CERTIFICATE_DEBUG 1 +/* #define CERTIFICATE_DEBUG 1 */ #define NDPI_MAX_SSL_REQUEST_SIZE 10000 @@ -35,6 +35,204 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +/* **************************************** */ + +typedef struct MD5Context { + uint32_t buf[4]; + uint32_t bits[2]; + unsigned char in[64]; +} MD5_CTX; + +/* **************************************** */ + +static int is_big_endian(void) { + static const int n = 1; + return ((char *) &n)[0] == 0; +} + +static void byteReverse(unsigned char *buf, unsigned longs) { + uint32_t t; + + // Forrest: MD5 expect LITTLE_ENDIAN, swap if BIG_ENDIAN + if (is_big_endian()) { + do { + t = (uint32_t) ((unsigned) buf[3] << 8 | buf[2]) << 16 | + ((unsigned) buf[1] << 8 | buf[0]); + * (uint32_t *) buf = t; + buf += 4; + } while (--longs); + } +} + +#define F1(x, y, z) (z ^ (x & (y ^ z))) +#define F2(x, y, z) F1(z, x, y) +#define F3(x, y, z) (x ^ y ^ z) +#define F4(x, y, z) (y ^ (x | ~z)) + +#define MD5STEP(f, w, x, y, z, data, s) \ + ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) + +// Start MD5 accumulation. Set bit count to 0 and buffer to mysterious +// initialization constants. +static void MD5Init(MD5_CTX *ctx) { + ctx->buf[0] = 0x67452301; + ctx->buf[1] = 0xefcdab89; + ctx->buf[2] = 0x98badcfe; + ctx->buf[3] = 0x10325476; + + ctx->bits[0] = 0; + ctx->bits[1] = 0; +} + +static void MD5Transform(uint32_t buf[4], uint32_t const in[16]) { + uint32_t a, b, c, d; + + a = buf[0]; + b = buf[1]; + c = buf[2]; + d = buf[3]; + + MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); + MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); + MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); + MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); + MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); + MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); + MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); + MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); + MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); + MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); + MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); + MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); + MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); + MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); + MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); + MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); + + MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); + MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); + MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); + MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); + MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); + MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); + MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); + MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); + MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); + MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); + MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); + MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); + MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); + MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); + MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); + MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); + + MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); + MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); + MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); + MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); + MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); + MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); + MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); + MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); + MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); + MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); + MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); + MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); + MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); + MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); + MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); + MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); + + MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); + MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); + MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); + MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); + MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); + MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); + MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); + MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); + MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); + MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); + MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); + MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); + MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); + MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); + MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); + MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); + + buf[0] += a; + buf[1] += b; + buf[2] += c; + buf[3] += d; +} + +static void MD5Update(MD5_CTX *ctx, unsigned char const *buf, unsigned len) { + uint32_t t; + + t = ctx->bits[0]; + if ((ctx->bits[0] = t + ((uint32_t) len << 3)) < t) + ctx->bits[1]++; + ctx->bits[1] += len >> 29; + + t = (t >> 3) & 0x3f; + + if (t) { + unsigned char *p = (unsigned char *) ctx->in + t; + + t = 64 - t; + if (len < t) { + memcpy(p, buf, len); + return; + } + memcpy(p, buf, t); + byteReverse(ctx->in, 16); + MD5Transform(ctx->buf, (uint32_t *) ctx->in); + buf += t; + len -= t; + } + + while (len >= 64) { + memcpy(ctx->in, buf, 64); + byteReverse(ctx->in, 16); + MD5Transform(ctx->buf, (uint32_t *) ctx->in); + buf += 64; + len -= 64; + } + + memcpy(ctx->in, buf, len); +} + +static void MD5Final(unsigned char digest[16], MD5_CTX *ctx) { + unsigned count; + unsigned char *p; + uint32_t *c = (uint32_t*)ctx->in; + + count = (ctx->bits[0] >> 3) & 0x3F; + + p = ctx->in + count; + *p++ = 0x80; + count = 64 - 1 - count; + if (count < 8) { + memset(p, 0, count); + byteReverse(ctx->in, 16); + MD5Transform(ctx->buf, (uint32_t *) ctx->in); + memset(ctx->in, 0, 56); + } else { + memset(p, 0, count - 8); + } + byteReverse(ctx->in, 14); + + c[14] = ctx->bits[0]; + c[15] = ctx->bits[1]; + + MD5Transform(ctx->buf, (uint32_t *) ctx->in); + byteReverse((unsigned char *) ctx->buf, 4); + memcpy(digest, ctx->buf, 16); + memset((char *) ctx, 0, sizeof(*ctx)); +} + +/* **************************************** */ + static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { @@ -143,18 +341,42 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { } } -/* Code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */ +/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ + +#define JA3_STR_LEN 1024 +#define MAX_NUM_JA3 128 + +struct ja3_info { + u_int16_t ssl_version; + u_int16_t num_cipher, cipher[MAX_NUM_JA3]; + u_int16_t num_ssl_extension, ssl_extension[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; + u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; +}; + +/* **************************************** */ + +/* code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *buffer, int buffer_len) { struct ndpi_packet_struct *packet = &flow->packet; + struct ja3_info ja3; + u_int8_t invalid_ja3 = 0; + u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len; + char ja3_str[JA3_STR_LEN]; + MD5_CTX ctx; + u_char md5_hash[16]; + + flow->protos.stun_ssl.ssl.ssl_version = ssl_version; + + memset(&ja3, 0, sizeof(ja3)); #ifdef CERTIFICATE_DEBUG { - u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2]; - u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; - - printf("SSL Record [version: 0x%02X][len: %u]\n", ssl_version, ssl_len); + u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; + + printf("SSL Record [version: %u][len: %u]\n", ssl_version, ssl_len); } #endif @@ -183,10 +405,84 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, if((handshake_protocol == 0x02) || (handshake_protocol == 0xb) /* Server Hello and Certificate message types are interesting for us */) { u_int num_found = 0; + u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9])); + + ja3.ssl_version = ssl_version; + + if(handshake_protocol == 0x02) { + u_int16_t offset = 43, extension_len, j; + u_int8_t session_id_len = packet->payload[43]; + + offset += session_id_len+1; + + ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); + flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; + +#ifdef CERTIFICATE_DEBUG + printf("SSL [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); +#endif + + offset += 2 + 1; + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + +#ifdef CERTIFICATE_DEBUG + printf("SSL [server][extension_len: %u]\n", extension_len); +#endif + offset += 2; + + for(i=0; i<extension_len; ) { + u_int16_t id, len; + + if(offset >= (packet->payload_packet_len+4)) break; + + id = ntohs(*((u_int16_t*)&packet->payload[offset])); + len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); + + if(ja3.num_ssl_extension < MAX_NUM_JA3) + ja3.ssl_extension[ja3.num_ssl_extension++] = id; + +#ifdef CERTIFICATE_DEBUG + printf("SSL [server][extension_id: %u]\n", id); +#endif + + i += 4 + len, offset += 4 + len; + } + + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version); + + for(i=0; i<ja3.num_cipher; i++) + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); + + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + + /* ********** */ - if(handshake_protocol == 0x02) + for(i=0; i<ja3.num_ssl_extension; i++) + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.ssl_extension[i]); + +#ifdef CERTIFICATE_DEBUG + printf("SSL [server] %s\n", ja3_str); +#endif + +#ifdef CERTIFICATE_DEBUG + printf("[JA3] Server: %s \n", ja3_str); +#endif + + MD5Init(&ctx); + MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + MD5Final(md5_hash, &ctx); + + for(i=0, j=0; i<16; i++) + j += snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); + +#ifdef CERTIFICATE_DEBUG + printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); +#endif + flow->l4.tcp.ssl_seen_server_cert = 1; - else + } else flow->l4.tcp.ssl_seen_certificate = 1; /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ @@ -235,6 +531,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, snprintf(flow->protos.stun_ssl.ssl.server_certificate, sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); } + return(1 /* Server Certificate */); } } @@ -242,101 +539,251 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } } else if(handshake_protocol == 0x01 /* Client Hello */) { u_int offset, base_offset = 43; + if(base_offset + 2 <= packet->payload_packet_len) { - u_int16_t session_id_len = packet->payload[base_offset]; + u_int16_t session_id_len = packet->payload[base_offset]; + u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9])); - if((session_id_len+base_offset+2) <= total_len) { - u_int16_t cypher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); - offset = base_offset + session_id_len + cypher_len + 2; + ja3.ssl_version = ssl_version; - flow->l4.tcp.ssl_seen_client_cert = 1; + if((session_id_len+base_offset+2) <= total_len) { + u_int16_t cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); + u_int16_t i, cipher_offset = base_offset + session_id_len + 3; - if(offset < total_len) { - u_int16_t compression_len; - u_int16_t extensions_len; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [client cipher_len: %u]\n", cipher_len); +#endif + + if((cipher_offset+cipher_len) <= total_len) { + for(i=0; i<cipher_len;) { + u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; + +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [cipher suite: %u] [%u/%u]\n", ntohs(*id), i, cipher_len); +#endif + if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { + /* + Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] + https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 + */ + + if(ja3.num_cipher < MAX_NUM_JA3) + ja3.cipher[ja3.num_cipher++] = ntohs(*id); + else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); +#endif + } + } + + i += 2; + } + } else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); +#endif + } + + offset = base_offset + session_id_len + cipher_len + 2; + + flow->l4.tcp.ssl_seen_client_cert = 1; + + if(offset < total_len) { + u_int16_t compression_len; + u_int16_t extensions_len; - offset++; - compression_len = packet->payload[offset]; - offset++; + offset++; + compression_len = packet->payload[offset]; + offset++; #ifdef CERTIFICATE_DEBUG - printf("SSL [compression_len: %u]\n", compression_len); + printf("Client SSL [compression_len: %u]\n", compression_len); #endif - // offset += compression_len + 3; - offset += compression_len; + // offset += compression_len + 3; + offset += compression_len; - if(offset < total_len) { - extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - offset += 2; + if(offset < total_len) { + extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + offset += 2; #ifdef CERTIFICATE_DEBUG - printf("SSL [extensions_len: %u]\n", extensions_len); + printf("Client SSL [extensions_len: %u]\n", extensions_len); #endif - if((extensions_len+offset) <= total_len) { - /* Move to the first extension - Type is u_int to avoid possible overflow on extension_len addition */ - u_int extension_offset = 0; + if((extensions_len+offset) <= total_len) { + /* Move to the first extension + Type is u_int to avoid possible overflow on extension_len addition */ + u_int extension_offset = 0; + u_int32_t md5h[4], j; - while(extension_offset < extensions_len) { - u_int16_t extension_id, extension_len; + while(extension_offset < extensions_len) { + u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; #ifdef CERTIFICATE_DEBUG - printf("SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); + printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); #endif - if(extension_id == 0) { -#if 1 - u_int16_t len; - - len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; - len = (u_int)ndpi_min(len, buffer_len-1); - strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); - buffer[len] = '\0'; -#else - /* old code */ - u_int begin = 0; - char *server_name = (char*)&packet->payload[offset+extension_offset]; - - while(begin < extension_len) { - if((!ndpi_isprint(server_name[begin])) - || ndpi_ispunct(server_name[begin]) - || ndpi_isspace(server_name[begin])) - begin++; - else - break; - } + if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { + /* Skip GREASE */ - len = (u_int)ndpi_min(extension_len-begin, buffer_len-1); - strncpy(buffer, &server_name[begin], len); - buffer[len] = '\0'; + if(ja3.num_ssl_extension < MAX_NUM_JA3) + ja3.ssl_extension[ja3.num_ssl_extension++] = extension_id; + else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid extensions %u\n", ja3.num_ssl_extension); #endif + } + } + + if(extension_id == 0 /* server name */) { + u_int16_t len; + + len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; + len = (u_int)ndpi_min(len, buffer_len-1); + strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); + buffer[len] = '\0'; + + stripCertificateTrailer(buffer, buffer_len); + + if(!ndpi_struct->disable_metadata_export) { + snprintf(flow->protos.stun_ssl.ssl.client_certificate, + sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); + } + } else if(extension_id == 10 /* supported groups */) { + u_int16_t i, s_offset = offset+extension_offset + 2; + +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); +#endif + + if((s_offset+extension_len-2) <= total_len) { + for(i=0; i<extension_len-2;) { + u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); - stripCertificateTrailer(buffer, buffer_len); +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [EllipticCurve: %u]\n", s_group); +#endif + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { + /* Skip GREASE */ + if(ja3.num_elliptic_curve < MAX_NUM_JA3) + ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; + else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); +#endif + } + } - if(!ndpi_struct->disable_metadata_export) { - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); + i += 2; } + } else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); +#endif + } + } else if(extension_id == 11 /* ec_point_formats groups */) { + u_int16_t i, s_offset = offset+extension_offset + 1; - /* We're happy now */ - return(2 /* Client Certificate */); +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); +#endif + if((s_offset+extension_len) < total_len) { + for(i=0; i<extension_len-1;i++) { + u_int8_t s_group = packet->payload[s_offset+i]; + +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); +#endif + + if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) + ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; + else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); +#endif + } + } + } else { + invalid_ja3 = 1; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); +#endif } + } + + extension_offset += extension_len; - extension_offset += extension_len; +#ifdef CERTIFICATE_DEBUG + printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); +#endif + } /* while */ + + if(!invalid_ja3) { + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version); + + for(i=0; i<ja3.num_cipher; i++) { + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.cipher[i]); } + + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + + /* ********** */ + + for(i=0; i<ja3.num_ssl_extension; i++) + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.ssl_extension[i]); + + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + + /* ********** */ + + for(i=0; i<ja3.num_elliptic_curve; i++) + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve[i]); + + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + + for(i=0; i<ja3.num_elliptic_curve_point_format; i++) + ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + +#ifdef CERTIFICATE_DEBUG + printf("[JA3] Client: %s \n", ja3_str); +#endif + + MD5Init(&ctx); + MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + MD5Final(md5_hash, &ctx); + + for(i=0, j=0; i<16; i++) + j += snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", md5_hash[i]); + +#ifdef CERTIFICATE_DEBUG + printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); +#endif } + + return(2 /* Client Certificate */); } } } } + } } } } @@ -345,69 +792,70 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *buffer, int buffer_len) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_flow_struct *flow, + char *buffer, int buffer_len) { + struct ndpi_packet_struct *packet = &flow->packet; - if(packet->payload[0] != 0x16 /* Handshake */) - return; + if(packet->payload[0] != 0x16 /* Handshake */) + return; - u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */; - u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ + u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */; + u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - if(handshake_protocol != 0x02 && handshake_protocol != 0xb /* Server Hello and Certificate message types are interesting for us */) - return; + if(handshake_protocol != 0x02 && handshake_protocol != 0xb /* Server Hello and Certificate message types are interesting for us */) + return; - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; + /* Truncate total len, search at least in incomplete packet */ + if(total_len > packet->payload_packet_len) + total_len = packet->payload_packet_len; - memset(buffer, 0, buffer_len); + memset(buffer, 0, buffer_len); - /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - u_int num_found = 0; - u_int i, j; - for(i = 9; i < packet->payload_packet_len-4; i++) { - /* Organization OID: 2.5.4.10 */ - if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { - u_int8_t type_tag = packet->payload[i+3]; // 0x0c: utf8string / 0x13: printable_string - u_int8_t server_len = packet->payload[i+4]; - - num_found++; - /* what we want is subject certificate, so we bypass the issuer certificate */ - if(num_found != 2) continue; - - // packet is truncated... further inspection is not needed - if(i+4+server_len >= packet->payload_packet_len) { - break; - } + /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ + u_int num_found = 0; + u_int i, j; + for(i = 9; i < packet->payload_packet_len-4; i++) { + /* Organization OID: 2.5.4.10 */ + if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { + u_int8_t type_tag = packet->payload[i+3]; // 0x0c: utf8string / 0x13: printable_string + u_int8_t server_len = packet->payload[i+4]; - char *server_org = (char*)&packet->payload[i+5]; + num_found++; + /* what we want is subject certificate, so we bypass the issuer certificate */ + if(num_found != 2) continue; - u_int len = (u_int)ndpi_min(server_len, buffer_len-1); - strncpy(buffer, server_org, len); - buffer[len] = '\0'; + // packet is truncated... further inspection is not needed + if(i+4+server_len >= packet->payload_packet_len) { + break; + } - // check if organization string are all printable - u_int8_t is_printable = 1; - for (j = 0; j < len; j++) { - if(!ndpi_isprint(buffer[j])) { - is_printable = 0; - break; - } - } + char *server_org = (char*)&packet->payload[i+5]; + + u_int len = (u_int)ndpi_min(server_len, buffer_len-1); + strncpy(buffer, server_org, len); + buffer[len] = '\0'; - if(is_printable == 1) { - snprintf(flow->protos.stun_ssl.ssl.server_organization, - sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); + // check if organization string are all printable + u_int8_t is_printable = 1; + for (j = 0; j < len; j++) { + if(!ndpi_isprint(buffer[j])) { + is_printable = 0; + break; + } + } + + if(is_printable == 1) { + snprintf(flow->protos.stun_ssl.ssl.server_organization, + sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); #ifdef CERTIFICATE_DEBUG - printf("Certificate origanization: %s\n", flow->protos.stun_ssl.ssl.server_organization); + printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); #endif - } - } + } } + } } + int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -745,7 +1193,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc /* No whatsapp, let's try SSL */ if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0) return; - } + } if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); diff --git a/tests/pcap/ftp.pcap b/tests/pcap/ftp.pcap Binary files differnew file mode 100644 index 000000000..0bbc7d16f --- /dev/null +++ b/tests/pcap/ftp.pcap diff --git a/tests/pcap/rdp.pcap b/tests/pcap/rdp.pcap Binary files differnew file mode 100644 index 000000000..46b934027 --- /dev/null +++ b/tests/pcap/rdp.pcap diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 83268c659..637f29815 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -1,4 +1,4 @@ -Unknown 21 5946 11 +Unknown 24 6428 14 DNS 2 378 1 HTTP 524 220123 9 MDNS 1 82 1 @@ -10,10 +10,9 @@ QQ 28 5216 2 RTP 2 132 1 SSL 105 21914 7 DHCPV6 10 980 3 -Facebook 21 7145 4 +Facebook 19 6840 2 Google 3 176 1 GenericProtocol 433 311919 14 -UPnP 1 177 1 LLMNR 89 6799 47 1 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7/HTTP][cat: Web/5][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Host: 183.131.48.144] @@ -33,11 +32,11 @@ LLMNR 89 6799 47 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com] 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][cat: Network/14][14 pkts/4788 bytes -> 0 pkts/0 bytes] 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes] - 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][client: 1] - 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][client: 1] - 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][client: 1] + 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] + 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] + 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi] - 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][client: 1] + 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi] 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes] 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/2450 bytes -> 0 pkts/0 bytes] @@ -78,62 +77,59 @@ LLMNR 89 6799 47 60 UDP [fe80::9bd:81dd:2fdc:5750]:61548 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] 61 UDP [fe80::9bd:81dd:2fdc:5750]:64568 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] 62 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes] - 63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/182 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 69 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 153/UPnP][cat: Network/14][1 pkts/177 bytes -> 0 pkts/0 bytes] - 70 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/110 bytes <-> 1 pkts/66 bytes] - 71 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 72 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 73 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav] - 74 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] - 75 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] - 76 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 77 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 78 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 188.119/QUIC.Facebook][cat: SocialNetwork/6][1 pkts/163 bytes -> 0 pkts/0 bytes] - 79 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] - 80 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] - 81 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 82 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 83 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 84 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 188.119/QUIC.Facebook][cat: SocialNetwork/6][1 pkts/142 bytes -> 0 pkts/0 bytes] - 85 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 86 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 87 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: kasper-mac] - 88 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 89 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 90 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 91 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 92 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 93 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 94 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] - 95 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] - 96 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 97 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 98 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 99 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] - 100 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] - 101 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] - 102 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] - 103 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 104 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 87/RTP][cat: Media/1][2 pkts/132 bytes -> 0 pkts/0 bytes] - 105 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] - 106 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes] - 107 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes] - 108 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes] - 109 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes] - 110 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 111 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 112 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] - 113 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes] - 114 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 115 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 116 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 117 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 118 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav] + 63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: ____________] + 64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: ____________] + 65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: ____________] + 66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/182 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] + 68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] + 69 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/110 bytes <-> 1 pkts/66 bytes] + 70 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 71 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 72 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav] + 73 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] + 74 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] + 75 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: RO_X1C] + 76 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: RO_X1C] + 77 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] + 78 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] + 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 82 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 83 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 84 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: Kasper-mac] + 85 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] + 86 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: WANGS-LTW] + 87 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC] + 88 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC] + 89 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC] + 90 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: Joanna-PC] + 91 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] + 92 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] + 93 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 94 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-PC] + 95 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-PC] + 96 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: Usher-PC] + 97 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: Usher-PC] + 98 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] + 99 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] + 100 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: RO_X1C] + 101 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 87/RTP][cat: Media/1][2 pkts/132 bytes -> 0 pkts/0 bytes] + 102 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] + 103 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes] + 104 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes] + 105 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes] + 106 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes] + 107 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 108 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 109 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] + 110 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes] + 111 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 112 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-PC] + 113 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-PC] + 114 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-PC] + 115 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav] Undetected flows: @@ -145,6 +141,9 @@ Undetected flows: 6 UDP 192.168.140.140:62976 -> 255.255.255.255:62976 [proto: 0/Unknown][1 pkts/359 bytes -> 0 pkts/0 bytes] 7 UDP [fe80::4e5e:cff:feea:365]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes -> 0 pkts/0 bytes] 8 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes -> 0 pkts/0 bytes] - 9 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] - 10 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] - 11 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes] + 9 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/177 bytes -> 0 pkts/0 bytes] + 10 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] + 11 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] + 12 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes -> 0 pkts/0 bytes] + 13 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes] + 14 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index 32ddda168..af700dfbb 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -4,8 +4,8 @@ SSL 28 15397 1 ICMPV6 48 7862 3 Facebook 37 14726 3 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][client: mail.tomasu.net][server: mail.tomasu.net] - 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][client: www.facebook.com][server: *.facebook.com] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][TLSv1.2][JA3C: 812d8bce0f85487ba7834d36568ed586][server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14] + 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][TLSv1][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3] 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes] 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index 258133b23..2939f608b 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -2,12 +2,11 @@ Unknown 1 66 1 HTTP 116 91784 6 ICMP 5 510 1 SSL 2 169 1 -Facebook 101 62428 4 +Facebook 251 215986 5 Dropbox 5 725 2 -WhatsApp 150 153558 1 Instagram 363 255094 16 - 1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.142/HTTP.WhatsApp][cat: Chat/9][103 pkts/150456 bytes <-> 47 pkts/3102 bytes] + 1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][103 pkts/150456 bytes <-> 47 pkts/3102 bytes] 2 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Host: photos-h.ak.instagram.com] 3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Host: photos-g.ak.instagram.com] 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com] @@ -16,15 +15,15 @@ Instagram 363 255094 16 7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][cat: Web/5][25 pkts/37100 bytes <-> 24 pkts/1584 bytes] 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][cat: Web/5][14 pkts/924 bytes <-> 20 pkts/28115 bytes] 9 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][cat: Web/5][16 pkts/22931 bytes <-> 9 pkts/594 bytes] - 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][client: igcdn-photos-g-a.akamaihd.net][server: a248.e.akamai.net] - 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][client: igcdn-photos-h-a.akamaihd.net][server: a248.e.akamai.net] + 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7] + 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7] 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][6 pkts/4699 bytes <-> 6 pkts/1345 bytes] - 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] - 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] + 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7] + 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7] 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes] 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 5 pkts/4020 bytes] 17 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Host: photos-f.ak.instagram.com] - 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][client: telegraph-ash.instagram.com] + 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/SSL.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7] 19 UDP 192.168.0.106:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/580 bytes -> 0 pkts/0 bytes] 20 ICMP 192.168.0.103:0 -> 192.168.0.103:0 [proto: 81/ICMP][cat: Network/14][5 pkts/510 bytes -> 0 pkts/0 bytes] 21 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][cat: SocialNetwork/6][1 pkts/89 bytes <-> 1 pkts/305 bytes][Host: igcdn-photos-h-a.akamaihd.net] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 0826675ea..55d11abdb 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -8,40 +8,40 @@ HTTP_Proxy 26 3926 1 Amazon 8 2071 2 KakaoTalk 55 9990 15 - 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][client: graph.facebook.com][server: *.facebook.com] - 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][client: developers.facebook.com][server: *.facebook.com] - 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][client: api.facebook.com][server: *.facebook.com] - 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][server: *.facebook.com] - 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][server: *.facebook.com] - 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][server: *.facebook.com] - 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][cat: VoIP/10][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][server: *.kakao.com] + 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][TLSv1][JA3C: 051d20e8adbe8dac78945de300764d5e] + 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][TLSv1][JA3C: 051d20e8adbe8dac78945de300764d5e] + 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][TLSv1][JA3C: 051d20e8adbe8dac78945de300764d5e] + 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2] + 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2] + 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2] + 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)] 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes] 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes] - 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/SSL.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][server: *.push.samsungosp.com] + 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/SSL.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][TLSv1][server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)] 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com] 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com] 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes] 14 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/SSL][cat: Web/5][2 pkts/112 bytes <-> 3 pkts/168 bytes] 15 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][2 pkts/139 bytes <-> 2 pkts/112 bytes] - 16 UDP 10.24.82.188:57816 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/78 bytes <-> 1 pkts/166 bytes][Host: katalk.kakao.com] + 16 UDP 10.24.82.188:57816 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/78 bytes <-> 1 pkts/166 bytes][Host: katalk.kakao.com] 17 UDP 10.24.82.188:4017 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/85 bytes <-> 1 pkts/144 bytes][Host: developers.facebook.com] 18 UDP 10.24.82.188:19582 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/80 bytes <-> 1 pkts/138 bytes][Host: graph.facebook.com] 19 UDP 10.24.82.188:14650 <-> 10.188.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/87 bytes <-> 1 pkts/130 bytes][Host: 2.97.252.173.in-addr.arpa] - 20 UDP 10.24.82.188:35603 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/79 bytes <-> 1 pkts/136 bytes][Host: ac-talk.kakao.com] - 21 UDP 10.24.82.188:41909 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/84 bytes <-> 1 pkts/130 bytes][Host: booking.loco.kakao.com] - 22 UDP 10.24.82.188:25117 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/82 bytes <-> 1 pkts/126 bytes][Host: up-gp.talk.kakao.com] - 23 UDP 10.24.82.188:5929 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-p.talk.kakao.com] - 24 UDP 10.24.82.188:9094 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-v.talk.kakao.com] - 25 UDP 10.24.82.188:12908 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-m.talk.kakao.com] - 26 UDP 10.24.82.188:29029 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-a.talk.kakao.com] - 27 UDP 10.24.82.188:56820 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-c.talk.kakao.com] - 28 UDP 10.24.82.188:61011 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] - 29 UDP 10.24.82.188:61011 <-> 10.188.191.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] + 20 UDP 10.24.82.188:35603 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/79 bytes <-> 1 pkts/136 bytes][Host: ac-talk.kakao.com] + 21 UDP 10.24.82.188:41909 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/84 bytes <-> 1 pkts/130 bytes][Host: booking.loco.kakao.com] + 22 UDP 10.24.82.188:25117 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/82 bytes <-> 1 pkts/126 bytes][Host: up-gp.talk.kakao.com] + 23 UDP 10.24.82.188:5929 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-p.talk.kakao.com] + 24 UDP 10.24.82.188:9094 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-v.talk.kakao.com] + 25 UDP 10.24.82.188:12908 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-m.talk.kakao.com] + 26 UDP 10.24.82.188:29029 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-a.talk.kakao.com] + 27 UDP 10.24.82.188:56820 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-c.talk.kakao.com] + 28 UDP 10.24.82.188:61011 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] + 29 UDP 10.24.82.188:61011 <-> 10.188.191.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] 30 UDP 10.24.82.188:24596 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/78 bytes <-> 1 pkts/118 bytes][Host: api.facebook.com] - 31 UDP 10.24.82.188:38448 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: auth.kakao.com] - 32 UDP 10.24.82.188:58810 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: item.kakao.com] + 31 UDP 10.24.82.188:38448 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: auth.kakao.com] + 32 UDP 10.24.82.188:58810 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: item.kakao.com] 33 TCP 10.24.82.188:58927 -> 54.255.253.199:5223 [proto: 64.178/SSL_No_Cert.Amazon][cat: Web/5][2 pkts/181 bytes -> 0 pkts/0 bytes] - 34 UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: VoIP/10][1 pkts/81 bytes <-> 1 pkts/97 bytes][Host: dn-l.talk.kakao.com] + 34 UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][cat: Chat/9][1 pkts/81 bytes <-> 1 pkts/97 bytes][Host: dn-l.talk.kakao.com] 35 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][cat: Web/5][1 pkts/164 bytes -> 0 pkts/0 bytes] 36 ICMP 10.24.82.188:0 -> 10.188.191.1:0 [proto: 81/ICMP][cat: Network/14][1 pkts/147 bytes -> 0 pkts/0 bytes] 37 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][cat: Web/5][1 pkts/83 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index ec5e97620..a9f781f39 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -1,8 +1,7 @@ HTTP 5 280 1 QQ 15 1727 1 -SSL_No_Cert 45 10108 1 RTP 2991 398751 2 -SSL 5 1198 1 +SSL 50 11306 2 Facebook 34 4401 4 Google 4 359 4 HTTP_Proxy 16 1838 2 @@ -13,7 +12,7 @@ KakaoTalk_Voice 44 6196 2 1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes] 2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes] 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 163/Tor][cat: VPN/2][22 pkts/5326 bytes <-> 18 pkts/5212 bytes] - 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 64/SSL_No_Cert][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes] + 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/SSL][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][server: Kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)] 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out index 9ab60cc4e..56644e4e1 100644 --- a/tests/result/dnscrypt.pcap.out +++ b/tests/result/dnscrypt.pcap.out @@ -1,6 +1,6 @@ -DNScrypt 111 44676 4 +SSL 111 44676 4 - 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][cat: Network/14][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][client: simplednscrypt.org] - 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][cat: Network/14][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][client: simplednscrypt.org] - 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][cat: Network/14][8 pkts/780 bytes <-> 10 pkts/7735 bytes][client: simplednscrypt.org] - 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][cat: Network/14][8 pkts/780 bytes <-> 10 pkts/7735 bytes][client: simplednscrypt.org] + 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][TLSv1.2][JA3C: b8f81673c0e1d29908346f3bab892b9b][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] + 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] + 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] + 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out index b34851e55..1f96263af 100644 --- a/tests/result/facebook.pcap.out +++ b/tests/result/facebook.pcap.out @@ -1,4 +1,4 @@ Facebook 60 30511 2 - 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][client: www.facebook.com] - 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][client: facebook.com][server: *.facebook.com] + 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][TLSv1][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f] + 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][TLSv1][JA3C: bfcc1a3891601edb4f137ab7ab25b840] diff --git a/tests/result/ftp.pcap.out b/tests/result/ftp.pcap.out new file mode 100644 index 000000000..20471c1f4 --- /dev/null +++ b/tests/result/ftp.pcap.out @@ -0,0 +1,10 @@ +Unknown 1115 1122198 1 +FTP_CONTROL 68 5571 1 +FTP_DATA 9 1819 1 + + 1 TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][cat: Download-FileTransfer-FileSharing/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes] + 2 TCP 192.168.1.212:50695 <-> 90.130.70.73:25685 [proto: 175/FTP_DATA][cat: Download-FileTransfer-FileSharing/7][5 pkts/342 bytes <-> 4 pkts/1477 bytes] + + +Undetected flows: + 1 TCP 192.168.1.212:50696 <-> 90.130.70.73:24523 [proto: 0/Unknown][380 pkts/25104 bytes <-> 735 pkts/1097094 bytes] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index 0a4e91ba8..d258599e3 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -1,3 +1,3 @@ Google 28 9108 1 - 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/SSL.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][server: www.google.com] + 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/SSL.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][TLSv1][server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)] diff --git a/tests/result/hangout.pcap.out b/tests/result/hangout.pcap.out index 323e41d36..8fd1e203c 100644 --- a/tests/result/hangout.pcap.out +++ b/tests/result/hangout.pcap.out @@ -1,3 +1,3 @@ GoogleHangout 19 2774 1 - 1 UDP 74.125.134.127:19305 -> 10.89.61.13:56406 [proto: 201/GoogleHangout][cat: Chat/9][19 pkts/2774 bytes -> 0 pkts/0 bytes] + 1 UDP 74.125.134.127:19305 -> 10.89.61.13:56406 [proto: 201/GoogleHangout][cat: VoIP/10][19 pkts/2774 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index c9de9cedb..30e8b32cf 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -5,12 +5,12 @@ Google 62 15977 1 QUIC 3 502 1 1 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][cat: Web/5][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Host: www.google.it] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][client: www.ntop.org] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][client: www.ntop.org] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][client: www.ntop.org] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][client: www.ntop.org] - 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] - 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] + 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/SSL.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] + 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] + 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][TLSv1][JA3C: d3e627f423a33ea41841c19b8af79293] 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/SSL][cat: Web/5][7 pkts/860 bytes <-> 7 pkts/1353 bytes] 9 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][cat: Web/5][2 pkts/359 bytes <-> 1 pkts/143 bytes] 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index 41ad6e3f9..0a1117812 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -4,63 +4,63 @@ IGMP 1 60 1 NetFlix 6976 6151821 56 Amazon 2 126 1 - 1 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][667 pkts/50462 bytes <-> 1205 pkts/1807875 bytes][Host: 23.246.11.141] - 2 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Host: 23.246.3.140] - 3 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Host: 23.246.11.133] - 4 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Host: tp.akam.nflximg.com] - 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][client: art-s.nflximg.net][server: secure.cdn.nflximg.net] - 6 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Host: 23.246.11.141] - 7 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Host: art-2.nflximg.net] - 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][client: api-global.netflix.com][server: api.netflix.com] - 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 10 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][24 pkts/2040 bytes <-> 34 pkts/45136 bytes] - 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][21 pkts/1868 bytes <-> 34 pkts/45139 bytes] - 12 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Host: art-2.nflximg.net] - 13 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][21 pkts/1826 bytes <-> 32 pkts/43179 bytes] - 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][client: api-global.netflix.com][server: api.netflix.com] - 15 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Host: art-1.nflximg.net] - 16 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][31 pkts/2596 bytes <-> 29 pkts/37544 bytes] - 17 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Host: art-1.nflximg.net] - 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Host: appboot.netflix.com] - 19 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][33 pkts/2732 bytes <-> 25 pkts/30064 bytes] - 20 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][24 pkts/2041 bytes <-> 25 pkts/30064 bytes] - 21 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][31 pkts/2571 bytes <-> 22 pkts/28042 bytes] - 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][client: api-global.netflix.com][server: api.netflix.com] - 23 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][32 pkts/2572 bytes <-> 23 pkts/26661 bytes] - 24 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][36 pkts/3030 bytes <-> 21 pkts/25455 bytes] - 25 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][34 pkts/2864 bytes <-> 21 pkts/25456 bytes] - 26 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][30 pkts/2553 bytes <-> 22 pkts/25510 bytes] - 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][client: api-global.netflix.com] - 29 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][35 pkts/2920 bytes <-> 19 pkts/22428 bytes] - 30 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][34 pkts/2879 bytes <-> 20 pkts/22373 bytes] - 31 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][30 pkts/2610 bytes <-> 20 pkts/22422 bytes] - 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Host: api-global.netflix.com] - 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][client: api-global.netflix.com][server: api.netflix.com] - 36 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Streaming/17][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Host: art-2.nflximg.net] - 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][client: api-global.netflix.com] - 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][client: api-global.netflix.com][server: api.netflix.com] - 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][client: api-global.netflix.com] - 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Streaming/17][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][client: api-global.netflix.com] + 1 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][667 pkts/50462 bytes <-> 1205 pkts/1807875 bytes][Host: 23.246.11.141] + 2 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Host: 23.246.3.140] + 3 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Host: 23.246.11.133] + 4 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Host: tp.akam.nflximg.com] + 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 6 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Host: 23.246.11.141] + 7 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Host: art-2.nflximg.net] + 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][TLSv1][JA3C: dc67ac8aaf8d7f69ecd6598135448f24] + 10 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2040 bytes <-> 34 pkts/45136 bytes] + 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1868 bytes <-> 34 pkts/45139 bytes] + 12 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Host: art-2.nflximg.net] + 13 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1826 bytes <-> 32 pkts/43179 bytes] + 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][TLSv1][JA3C: 7e72698146290dd68239f788a452e7d8] + 15 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Host: art-1.nflximg.net] + 16 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2596 bytes <-> 29 pkts/37544 bytes] + 17 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Host: art-1.nflximg.net] + 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Host: appboot.netflix.com] + 19 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][33 pkts/2732 bytes <-> 25 pkts/30064 bytes] + 20 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2041 bytes <-> 25 pkts/30064 bytes] + 21 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2571 bytes <-> 22 pkts/28042 bytes] + 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][TLSv1][JA3C: d8bfad189bd26664e04570c104ee8418] + 23 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][32 pkts/2572 bytes <-> 23 pkts/26661 bytes] + 24 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][36 pkts/3030 bytes <-> 21 pkts/25455 bytes] + 25 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2864 bytes <-> 21 pkts/25456 bytes] + 26 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2553 bytes <-> 22 pkts/25510 bytes] + 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][TLSv1][JA3C: 7e72698146290dd68239f788a452e7d8] + 29 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][35 pkts/2920 bytes <-> 19 pkts/22428 bytes] + 30 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2879 bytes <-> 20 pkts/22373 bytes] + 31 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2610 bytes <-> 20 pkts/22422 bytes] + 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][TLSv1][JA3C: dc67ac8aaf8d7f69ecd6598135448f24] + 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Host: api-global.netflix.com] + 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][TLSv1][JA3C: dc67ac8aaf8d7f69ecd6598135448f24] + 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][TLSv1][JA3C: 7e72698146290dd68239f788a452e7d8] + 36 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Host: art-2.nflximg.net] + 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][TLSv1][JA3C: dc67ac8aaf8d7f69ecd6598135448f24] + 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][TLSv1][JA3C: dc67ac8aaf8d7f69ecd6598135448f24] + 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][TLSv1][JA3C: dc67ac8aaf8d7f69ecd6598135448f24] + 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][TLSv1][JA3C: 7e72698146290dd68239f788a452e7d8] + 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][TLSv1][JA3C: c07cb55f88702033a8f52c046d23e0b2] + 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][TLSv1][JA3C: 7e72698146290dd68239f788a452e7d8] + 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][TLSv1][JA3C: 7e72698146290dd68239f788a452e7d8] 47 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][16 pkts/2648 bytes -> 0 pkts/0 bytes] - 48 UDP 192.168.1.7:51543 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] - 49 UDP 192.168.1.7:51622 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] - 50 UDP 192.168.1.7:52347 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/80 bytes <-> 1 pkts/371 bytes][Host: ios.nccp.netflix.com] - 51 UDP 192.168.1.7:60962 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/83 bytes <-> 1 pkts/248 bytes][Host: ichnaea.geo.netflix.com] - 52 UDP 192.168.1.7:51949 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] - 53 UDP 192.168.1.7:52095 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] - 54 UDP 192.168.1.7:52116 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/96 bytes <-> 1 pkts/224 bytes][Host: ichnaea.us-west-2.prodaa.netflix.com] - 55 UDP 192.168.1.7:58102 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/79 bytes <-> 1 pkts/192 bytes][Host: appboot.netflix.com] - 56 UDP 192.168.1.7:59180 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/84 bytes <-> 1 pkts/148 bytes][Host: artwork.akam.nflximg.net] - 57 UDP 192.168.1.7:57719 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Streaming/17][1 pkts/85 bytes <-> 1 pkts/137 bytes][Host: sha2.san.akam.nflximg.net] + 48 UDP 192.168.1.7:51543 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] + 49 UDP 192.168.1.7:51622 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] + 50 UDP 192.168.1.7:52347 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/80 bytes <-> 1 pkts/371 bytes][Host: ios.nccp.netflix.com] + 51 UDP 192.168.1.7:60962 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/83 bytes <-> 1 pkts/248 bytes][Host: ichnaea.geo.netflix.com] + 52 UDP 192.168.1.7:51949 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] + 53 UDP 192.168.1.7:52095 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] + 54 UDP 192.168.1.7:52116 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/96 bytes <-> 1 pkts/224 bytes][Host: ichnaea.us-west-2.prodaa.netflix.com] + 55 UDP 192.168.1.7:58102 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/79 bytes <-> 1 pkts/192 bytes][Host: appboot.netflix.com] + 56 UDP 192.168.1.7:59180 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/84 bytes <-> 1 pkts/148 bytes][Host: artwork.akam.nflximg.net] + 57 UDP 192.168.1.7:57719 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][cat: Video/26][1 pkts/85 bytes <-> 1 pkts/137 bytes][Host: sha2.san.akam.nflximg.net] 58 UDP 192.168.1.7:57093 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/113 bytes][Host: a1907.dscg.akamai.net] 59 UDP 192.168.1.7:51728 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/80 bytes <-> 1 pkts/112 bytes][Host: a803.dscg.akamai.net] 60 TCP 192.168.1.7:52929 -> 52.24.87.6:443 [proto: 91.178/SSL.Amazon][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index e69de29bb..8aeb3647a 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -0,0 +1,25 @@ +ICMP 30 2100 2 +Nintendo 890 320242 12 +Amazon 76 10811 7 + + 1 UDP 192.168.12.114:55915 <-> 185.118.169.65:27520 [proto: 173/Nintendo][cat: Game/8][169 pkts/61414 bytes <-> 278 pkts/126260 bytes] + 2 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][cat: Game/8][122 pkts/48332 bytes <-> 35 pkts/5026 bytes] + 3 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][cat: Game/8][122 pkts/46476 bytes <-> 38 pkts/5268 bytes] + 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 64.178/SSL_No_Cert.Amazon][cat: Web/5][34 pkts/4466 bytes <-> 20 pkts/4021 bytes] + 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/SSL.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][TLSv1][JA3C: 200a99534ce50d35cf40cc3cce4c69b5] + 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/SSL.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][TLSv1][JA3C: 200a99534ce50d35cf40cc3cce4c69b5] + 7 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][cat: Game/8][23 pkts/2682 bytes <-> 16 pkts/3408 bytes] + 8 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][cat: Game/8][8 pkts/1024 bytes <-> 8 pkts/1024 bytes] + 9 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][cat: Game/8][8 pkts/1040 bytes <-> 7 pkts/922 bytes] + 10 ICMP 151.6.184.100:0 -> 192.168.12.114:0 [proto: 81/ICMP][cat: Network/14][21 pkts/1470 bytes -> 0 pkts/0 bytes] + 11 UDP 192.168.12.114:10184 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][4 pkts/368 bytes <-> 4 pkts/400 bytes][Host: g2df33d01-lp1.p.srv.nintendo.net] + 12 UDP 192.168.12.114:52119 -> 52.10.205.177:34343 [proto: 178/Amazon][cat: Web/5][1 pkts/730 bytes -> 0 pkts/0 bytes] + 13 ICMP 151.6.184.98:0 -> 192.168.12.114:0 [proto: 81/ICMP][cat: Network/14][9 pkts/630 bytes -> 0 pkts/0 bytes] + 14 UDP 192.168.12.114:55915 <-> 35.158.74.61:10025 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 15 UDP 192.168.12.114:18874 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][1 pkts/110 bytes <-> 1 pkts/281 bytes][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com] + 16 UDP 192.168.12.114:51035 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][cat: Game/8][1 pkts/110 bytes <-> 1 pkts/281 bytes][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com] + 17 UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173/Nintendo][cat: Game/8][3 pkts/354 bytes -> 0 pkts/0 bytes] + 18 UDP 192.168.12.114:55915 -> 35.158.74.61:33335 [proto: 178/Amazon][cat: Web/5][3 pkts/318 bytes -> 0 pkts/0 bytes] + 19 UDP 192.168.12.114:55915 -> 52.10.205.177:34343 [proto: 178/Amazon][cat: Web/5][1 pkts/298 bytes -> 0 pkts/0 bytes] + 20 UDP 192.168.12.114:55915 -> 35.158.74.61:33334 [proto: 178/Amazon][cat: Web/5][5 pkts/290 bytes -> 0 pkts/0 bytes] + 21 TCP 192.168.12.114:11534 <-> 54.146.242.74:443 [proto: 91.178/SSL.Amazon][cat: Web/5][1 pkts/54 bytes <-> 1 pkts/54 bytes] diff --git a/tests/result/ocs.pcap.out b/tests/result/ocs.pcap.out index 51d926ee3..b05725c29 100644 --- a/tests/result/ocs.pcap.out +++ b/tests/result/ocs.pcap.out @@ -1,26 +1,27 @@ Unknown 6 360 1 +DNS 3 214 3 HTTP 13 1019 2 -Google 30 3390 6 +Google 27 3176 3 Amazon 20 2715 1 OCS 863 57552 7 PlayStore 1 72 1 GoogleServices 13 2277 2 1 TCP 192.168.180.2:49881 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][cat: Media/1][751 pkts/44783 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] - 2 TCP 192.168.180.2:36680 -> 178.248.208.54:443 [proto: 91.218/SSL.OCS][cat: Media/1][20 pkts/6089 bytes -> 0 pkts/0 bytes][client: ocs.labgency.ws] + 2 TCP 192.168.180.2:36680 -> 178.248.208.54:443 [proto: 91.218/SSL.OCS][cat: Media/1][20 pkts/6089 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 0534a22b266a64a5cc9a90f7b5c483cc] 3 TCP 192.168.180.2:42590 -> 178.248.208.210:80 [proto: 7.218/HTTP.OCS][cat: Media/1][83 pkts/5408 bytes -> 0 pkts/0 bytes][Host: www.ocs.fr] - 4 TCP 192.168.180.2:39263 -> 23.21.230.199:443 [proto: 91.178/SSL.Amazon][cat: Web/5][20 pkts/2715 bytes -> 0 pkts/0 bytes][client: settings.crashlytics.com] - 5 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.239/SSL.GoogleServices][cat: Web/5][12 pkts/2212 bytes -> 0 pkts/0 bytes][client: mtalk.google.com] - 6 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/SSL.Google][cat: Web/5][12 pkts/1608 bytes -> 0 pkts/0 bytes] - 7 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/SSL.Google][cat: Web/5][13 pkts/1448 bytes -> 0 pkts/0 bytes] + 4 TCP 192.168.180.2:39263 -> 23.21.230.199:443 [proto: 91.178/SSL.Amazon][cat: Web/5][20 pkts/2715 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: b030dba3ca09e2e484b9fa75adc4039c] + 5 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.239/SSL.GoogleServices][cat: Web/5][12 pkts/2212 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1] + 6 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/SSL.Google][cat: Web/5][12 pkts/1608 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66] + 7 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/SSL.Google][cat: Web/5][13 pkts/1448 bytes -> 0 pkts/0 bytes][TLSv1][JA3C: 5a236bfc3d18ddef1b1f2f4c9e765d66] 8 TCP 192.168.180.2:48250 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][cat: Media/1][6 pkts/1092 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] - 9 TCP 192.168.180.2:44959 -> 137.135.129.206:80 [proto: 7/HTTP][cat: Web/5][7 pkts/540 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] - 10 TCP 192.168.180.2:53356 -> 137.135.129.206:80 [proto: 7/HTTP][cat: Web/5][6 pkts/479 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 9 TCP 192.168.180.2:44959 -> 137.135.129.206:80 [proto: 7.7/HTTP][cat: Web/5][7 pkts/540 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 10 TCP 192.168.180.2:53356 -> 137.135.129.206:80 [proto: 7.7/HTTP][cat: Web/5][6 pkts/479 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] 11 TCP 192.168.180.2:47699 -> 64.233.184.188:5228 [proto: 126/Google][cat: Web/5][2 pkts/120 bytes -> 0 pkts/0 bytes] - 12 UDP 192.168.180.2:3621 -> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: xmpp.device06.eu01.capptain.com] + 12 UDP 192.168.180.2:3621 -> 8.8.8.8:53 [proto: 5.5/DNS][cat: Network/14][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: xmpp.device06.eu01.capptain.com] 13 UDP 192.168.180.2:48770 -> 8.8.8.8:53 [proto: 5.228/DNS.PlayStore][cat: SoftwareUpdate/19][1 pkts/72 bytes -> 0 pkts/0 bytes][Host: android.clients.google.com] - 14 UDP 192.168.180.2:40097 -> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: settings.crashlytics.com] - 15 UDP 192.168.180.2:1291 -> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 14 UDP 192.168.180.2:40097 -> 8.8.8.8:53 [proto: 5.5/DNS][cat: Network/14][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: settings.crashlytics.com] + 15 UDP 192.168.180.2:1291 -> 8.8.8.8:53 [proto: 5.5/DNS][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] 16 UDP 192.168.180.2:11793 -> 8.8.8.8:53 [proto: 5.239/DNS.GoogleServices][cat: Web/5][1 pkts/65 bytes -> 0 pkts/0 bytes][Host: play.googleapis.com] 17 UDP 192.168.180.2:38472 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][cat: Media/1][1 pkts/63 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] 18 UDP 192.168.180.2:2589 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][cat: Media/1][1 pkts/61 bytes -> 0 pkts/0 bytes][Host: ocs.labgency.ws] diff --git a/tests/result/pps.pcap.out b/tests/result/pps.pcap.out index f9e26850b..774b615ff 100644 --- a/tests/result/pps.pcap.out +++ b/tests/result/pps.pcap.out @@ -7,8 +7,8 @@ GenericProtocol 1429 1780307 49 1 TCP 192.168.115.8:50780 <-> 223.26.106.20:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/303 bytes <-> 541 pkts/710082 bytes][Host: preimage1.qiyipic.com] 2 TCP 192.168.115.8:50778 <-> 223.26.106.20:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/303 bytes <-> 528 pkts/692658 bytes][Host: preimage1.qiyipic.com] 3 TCP 192.168.115.8:50505 <-> 223.26.106.19:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][2 pkts/400 bytes <-> 244 pkts/319633 bytes][Host: static.qiyi.com] - 4 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7/HTTP][cat: Web/5][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Host: 223.26.106.66] - 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7/HTTP][cat: Web/5][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Host: bcu.ff.avast.com] + 4 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7.7/HTTP][cat: Web/5][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Host: 223.26.106.66] + 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7.7/HTTP][cat: Web/5][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Host: bcu.ff.avast.com] 6 UDP 192.168.5.38:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][18 pkts/9327 bytes -> 0 pkts/0 bytes] 7 TCP 192.168.115.8:50476 <-> 101.227.32.39:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/656 bytes <-> 4 pkts/3897 bytes][Host: cache.video.iqiyi.com] 8 TCP 192.168.115.8:50495 <-> 202.108.14.236:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][3 pkts/2844 bytes <-> 3 pkts/597 bytes][Host: msg.71.am] @@ -22,11 +22,11 @@ GenericProtocol 1429 1780307 49 16 TCP 192.168.115.8:50779 <-> 111.206.22.77:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][2 pkts/1438 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] 17 UDP 192.168.5.38:58897 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][9 pkts/1575 bytes -> 0 pkts/0 bytes] 18 UDP 192.168.115.1:50945 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][9 pkts/1539 bytes -> 0 pkts/0 bytes] - 19 TCP 192.168.115.8:50464 <-> 123.125.112.49:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/707 bytes <-> 1 pkts/744 bytes][Host: click.hm.baidu.com] + 19 TCP 192.168.115.8:50464 <-> 123.125.112.49:80 [proto: 7.137/HTTP.GenericProtocol][cat: Web/5][1 pkts/707 bytes <-> 1 pkts/744 bytes][Host: click.hm.baidu.com] 20 TCP 192.168.115.8:50492 <-> 111.206.13.3:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/389 bytes <-> 2 pkts/1034 bytes][Host: pdata.video.qiyi.com] 21 TCP 192.168.115.8:50777 <-> 111.206.22.77:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/1186 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] - 22 TCP 192.168.115.8:50494 <-> 223.26.106.66:80 [proto: 7/HTTP][cat: Web/5][2 pkts/887 bytes <-> 1 pkts/443 bytes][Host: 223.26.106.66] - 23 TCP 192.168.115.8:50497 <-> 123.125.112.49:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/1004 bytes <-> 2 pkts/301 bytes][Host: click.hm.baidu.com] + 22 TCP 192.168.115.8:50494 <-> 223.26.106.66:80 [proto: 7.7/HTTP][cat: Web/5][2 pkts/887 bytes <-> 1 pkts/443 bytes][Host: 223.26.106.66] + 23 TCP 192.168.115.8:50497 <-> 123.125.112.49:80 [proto: 7.137/HTTP.GenericProtocol][cat: Web/5][1 pkts/1004 bytes <-> 2 pkts/301 bytes][Host: click.hm.baidu.com] 24 TCP 192.168.115.8:50499 <-> 111.206.22.76:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/1097 bytes <-> 1 pkts/199 bytes][Host: msg.iqiyi.com] 25 TCP 192.168.115.8:50474 <-> 202.108.14.221:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/1100 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] 26 TCP 192.168.115.8:50507 <-> 223.26.106.19:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/212 bytes <-> 1 pkts/1063 bytes][Host: static.qiyi.com] @@ -36,7 +36,7 @@ GenericProtocol 1429 1780307 49 30 TCP 192.168.115.8:50771 <-> 202.108.14.236:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/946 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] 31 TCP 192.168.115.8:50473 <-> 202.108.14.219:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/944 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] 32 TCP 192.168.115.8:50475 <-> 202.108.14.236:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/941 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 33 TCP 192.168.115.8:50500 <-> 23.41.133.163:80 [proto: 7/HTTP][cat: Web/5][1 pkts/289 bytes <-> 1 pkts/839 bytes][Host: s1.symcb.com] + 33 TCP 192.168.115.8:50500 <-> 23.41.133.163:80 [proto: 7.7/HTTP][cat: Web/5][1 pkts/289 bytes <-> 1 pkts/839 bytes][Host: s1.symcb.com] 34 TCP 192.168.115.8:50773 <-> 202.108.14.221:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/919 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] 35 TCP 192.168.115.8:50466 <-> 203.66.182.24:80 [proto: 7.126/HTTP.Google][cat: Web/5][1 pkts/280 bytes <-> 1 pkts/813 bytes][Host: clients1.google.com] 36 UDP 192.168.5.50:52529 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][6 pkts/1074 bytes -> 0 pkts/0 bytes] @@ -53,11 +53,11 @@ GenericProtocol 1429 1780307 49 47 TCP 192.168.115.8:50477 <-> 202.108.14.219:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/614 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] 48 TCP 192.168.115.8:50774 <-> 202.108.14.219:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/587 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] 49 TCP 192.168.115.8:50469 <-> 202.108.14.219:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/573 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 50 TCP 192.168.115.8:50482 <-> 140.205.243.64:80 [proto: 7/HTTP][cat: Web/5][1 pkts/444 bytes <-> 1 pkts/283 bytes][Host: cmc.tanx.com] + 50 TCP 192.168.115.8:50482 <-> 140.205.243.64:80 [proto: 7.7/HTTP][cat: Web/5][1 pkts/444 bytes <-> 1 pkts/283 bytes][Host: cmc.tanx.com] 51 TCP 192.168.115.8:50768 <-> 223.26.106.19:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/198 bytes <-> 1 pkts/526 bytes][Host: static.qiyi.com] - 52 TCP 192.168.5.15:65128 <-> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][1 pkts/331 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] + 52 TCP 192.168.5.15:65128 <-> 68.233.253.133:80 [proto: 7.7/HTTP][cat: Web/5][1 pkts/331 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] 53 TCP 192.168.115.8:50509 <-> 106.38.219.107:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/163 bytes <-> 2 pkts/557 bytes][Host: iplocation.geo.qiyi.com] - 54 TCP 192.168.5.15:65127 <-> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][1 pkts/323 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] + 54 TCP 192.168.5.15:65127 <-> 68.233.253.133:80 [proto: 7.7/HTTP][cat: Web/5][1 pkts/323 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] 55 TCP 192.168.115.8:50766 <-> 223.26.106.20:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/198 bytes <-> 1 pkts/493 bytes][Host: static.qiyi.com] 56 TCP 192.168.115.8:50487 -> 202.108.14.219:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/683 bytes -> 0 pkts/0 bytes][Host: msg.71.am] 57 TCP 192.168.115.8:50489 <-> 119.188.13.188:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][1 pkts/253 bytes <-> 1 pkts/430 bytes][Host: pdata.video.qiyi.com] diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index c510958eb..efb58341a 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -1,8 +1,8 @@ +HTTP 2 1469 1 QQ 12 4781 5 Facebook 6 1740 3 Google 2 378 1 GenericProtocol 133 96179 11 -Amazon 2 1469 1 1 TCP 10.54.169.250:52009 <-> 120.28.35.40:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][35 pkts/17902 bytes <-> 30 pkts/28000 bytes][Host: vod-singtelhawk.quickplay.com] 2 TCP 10.54.169.250:52019 <-> 120.28.35.40:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][14 pkts/7028 bytes <-> 11 pkts/12578 bytes][Host: vod-singtelhawk.quickplay.com] @@ -14,7 +14,7 @@ Amazon 2 1469 1 8 TCP 10.54.169.250:52021 <-> 120.28.35.40:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][3 pkts/1506 bytes <-> 1 pkts/1248 bytes][Host: vod-singtelhawk.quickplay.com] 9 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][3 pkts/1583 bytes <-> 1 pkts/1152 bytes][Host: vod-singtelhawk.quickplay.com] 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Host: play-singtelhawk.quickplay.com] - 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.178/HTTP.Amazon][cat: Web/5][1 pkts/638 bytes <-> 1 pkts/831 bytes][Host: api.account.xiaomi.com] + 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.7/HTTP][cat: Web/5][1 pkts/638 bytes <-> 1 pkts/831 bytes][Host: api.account.xiaomi.com] 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Host: hkextshort.weixin.qq.com] 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][1 pkts/461 bytes <-> 2 pkts/522 bytes][Host: hkextshort.weixin.qq.com] 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][1 pkts/681 bytes <-> 1 pkts/262 bytes][Host: hkminorshort.weixin.qq.com] diff --git a/tests/result/rdp.pcap.out b/tests/result/rdp.pcap.out new file mode 100644 index 000000000..5b5e78f8b --- /dev/null +++ b/tests/result/rdp.pcap.out @@ -0,0 +1,3 @@ +RDP 2010 622743 1 + + 1 TCP 172.16.2.185:52494 <-> 192.168.2.142:3389 [proto: 88/RDP][cat: RemoteAccess/12][936 pkts/58890 bytes <-> 1074 pkts/563853 bytes] diff --git a/tests/result/skype-conference-call.pcap.out b/tests/result/skype-conference-call.pcap.out index e69de29bb..fd6dde8c4 100644 --- a/tests/result/skype-conference-call.pcap.out +++ b/tests/result/skype-conference-call.pcap.out @@ -0,0 +1,3 @@ +SkypeCall 200 39687 1 + + 1 UDP 192.168.2.20:49282 <-> 104.46.40.49:60642 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][133 pkts/24845 bytes <-> 67 pkts/14842 bytes] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index af93da8ae..7d5c04255 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -15,10 +15,10 @@ Spotify 5 430 1 MS_OneDrive 387 198090 1 ApplePush 12 1877 1 - 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][server: *.gateway.messenger.live.com] + 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe] 2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes] 3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes] - 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/SSL.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][client: p05-keyvalueservice.icloud.com] + 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/SSL.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] 5 TCP 192.168.1.34:50119 <-> 86.31.35.30:59621 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][62 pkts/6941 bytes <-> 38 pkts/5325 bytes] 6 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/7281 bytes -> 0 pkts/0 bytes] 7 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 64.121/SSL_No_Cert.Dropbox][cat: Cloud/13][8 pkts/1636 bytes <-> 8 pkts/4344 bytes] @@ -27,13 +27,13 @@ ApplePush 12 1877 1 10 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][19 pkts/2797 bytes <-> 13 pkts/2175 bytes] 11 TCP 192.168.1.34:50118 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][18 pkts/2588 bytes <-> 13 pkts/2100 bytes] 12 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][15 pkts/2395 bytes <-> 8 pkts/1724 bytes] - 13 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][client: apps.skypeassets.com] - 14 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] + 13 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] + 14 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] 15 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes] 16 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes] 17 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes] 18 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes] - 19 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/2140 bytes <-> 3 pkts/200 bytes][client: apps.skype.com] + 19 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/2140 bytes <-> 3 pkts/200 bytes][TLSv1] 20 TCP 192.168.1.34:50134 <-> 157.56.53.47:12350 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][11 pkts/1578 bytes <-> 4 pkts/342 bytes] 21 TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/1211 bytes <-> 6 pkts/666 bytes] 22 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][13 pkts/1554 bytes <-> 3 pkts/200 bytes] @@ -135,7 +135,7 @@ ApplePush 12 1877 1 118 UDP 192.168.1.34:54396 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] 119 UDP 192.168.1.34:65426 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] 120 TCP 192.168.1.34:50109 <-> 91.190.216.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/297 bytes <-> 3 pkts/186 bytes] - 121 UDP 192.168.1.92:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][cat: Streaming/17][5 pkts/430 bytes -> 0 pkts/0 bytes] + 121 UDP 192.168.1.92:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][cat: Music/25][5 pkts/430 bytes -> 0 pkts/0 bytes] 122 TCP 192.168.1.34:50110 <-> 91.190.216.125:12350 [proto: 125/Skype][cat: VoIP/10][3 pkts/191 bytes <-> 3 pkts/186 bytes] 123 UDP 192.168.1.34:55893 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][cat: VoIP/10][5 pkts/360 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] 124 UDP 192.168.1.34:49485 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][2 pkts/349 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 916d99f23..696fd3687 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -13,16 +13,16 @@ Apple 76 19581 1 MS_OneDrive 348 181687 1 ApplePush 8 1118 1 - 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][server: *.gateway.messenger.live.com] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe] 2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes] 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 64.140/SSL_No_Cert.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes] 4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes] 5 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][17 pkts/2686 bytes <-> 13 pkts/2218 bytes] 6 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][12 pkts/2194 bytes <-> 8 pkts/1711 bytes] - 7 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] + 7 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] 8 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][cat: VoIP/10][12 pkts/3242 bytes <-> 3 pkts/290 bytes] 9 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 64.121/SSL_No_Cert.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes] - 10 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] + 10 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][TLSv1] 11 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][13 pkts/1446 bytes <-> 4 pkts/266 bytes] 12 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/SSL][cat: Web/5][13 pkts/1437 bytes <-> 3 pkts/200 bytes] 13 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][cat: VoIP/10][12 pkts/1333 bytes <-> 3 pkts/251 bytes] diff --git a/tests/result/snapchat.pcap.out b/tests/result/snapchat.pcap.out index 017d5a639..4be8b4d24 100644 --- a/tests/result/snapchat.pcap.out +++ b/tests/result/snapchat.pcap.out @@ -1,6 +1,6 @@ Google 22 2879 1 Snapchat 34 7320 2 - 1 TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][cat: Chat/9][9 pkts/2290 bytes <-> 8 pkts/1653 bytes][client: feelinsonice-hrd.appspot.com] - 2 TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][cat: Chat/9][9 pkts/2345 bytes <-> 8 pkts/1032 bytes][client: feelinsonice-hrd.appspot.com] + 1 TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][cat: SocialNetwork/6][9 pkts/2290 bytes <-> 8 pkts/1653 bytes][TLSv1][JA3C: fded31ac9b978e56ce306f8056092f2a] + 2 TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][cat: SocialNetwork/6][9 pkts/2345 bytes <-> 8 pkts/1032 bytes][TLSv1][JA3C: fded31ac9b978e56ce306f8056092f2a] 3 TCP 10.8.0.1:33233 <-> 74.125.136.141:443 [proto: 64.126/SSL_No_Cert.Google][cat: Web/5][11 pkts/1910 bytes <-> 11 pkts/969 bytes] diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 8d42d972d..561fe0869 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -31,12 +31,12 @@ Starcraft 236 51494 6 21 TCP 192.168.1.100:3512 <-> 12.129.222.54:80 [proto: 7.76/HTTP.WorldOfWarcraft][cat: Game/8][5 pkts/367 bytes <-> 4 pkts/513 bytes][Host: us.scan.worldofwarcraft.com] 22 UDP 192.168.1.100:55468 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/168 bytes <-> 2 pkts/388 bytes][Host: bnetcmsus-a.akamaihd.net] 23 UDP 173.194.40.22:443 <-> 192.168.1.100:53568 [proto: 188.126/QUIC.Google][cat: Web/5][3 pkts/243 bytes <-> 3 pkts/232 bytes] - 24 UDP 192.168.1.100:58851 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/173 bytes <-> 2 pkts/282 bytes][Host: 22.40.194.173.in-addr.arpa] + 24 UDP 192.168.1.100:58851 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/173 bytes <-> 2 pkts/282 bytes][Host: 110.212.58.216.in-addr.arpa] 25 UDP 192.168.1.100:60026 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/154 bytes <-> 2 pkts/288 bytes][Host: llnw.blizzard.com] - 26 UDP 192.168.1.100:58818 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/172 bytes <-> 2 pkts/260 bytes][Host: 91.252.30.192.in-addr.arpa] - 27 UDP 192.168.1.100:58831 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/172 bytes <-> 2 pkts/245 bytes][Host: 254.1.168.192.in-addr.arpa] - 28 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][cat: Web/5][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] - 29 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][cat: Web/5][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] + 26 UDP 192.168.1.100:58818 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/172 bytes <-> 2 pkts/260 bytes][Host: 100.1.168.192.in-addr.arpa] + 27 UDP 192.168.1.100:58831 <-> 192.168.1.254:53 [proto: 5.5/DNS][cat: Network/14][2 pkts/172 bytes <-> 2 pkts/245 bytes][Host: 26.186.239.80.in-addr.arpa] + 28 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7.7/HTTP][cat: Web/5][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] + 29 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7.7/HTTP][cat: Web/5][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] 30 UDP 192.168.1.100:53145 <-> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/152 bytes <-> 2 pkts/184 bytes][Host: nydus.battle.net] 31 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] 32 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/167 bytes] diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out index e200492ee..2241d4f71 100644 --- a/tests/result/viber.pcap.out +++ b/tests/result/viber.pcap.out @@ -8,16 +8,16 @@ Google 32 9133 3 Viber 268 99524 9 Amazon 71 24849 3 - 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/SSL.Viber][cat: Chat/9][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][client: dl-media.viber.com][server: *.viber.com] - 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/SSL.Viber][cat: Chat/9][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][client: media.cdn.viber.com][server: *.cdn.viber.com] - 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/SSL.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][client: brahe.apptimize.com][server: *.apptimize.com] - 4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: Chat/9][32 pkts/6563 bytes <-> 26 pkts/2782 bytes] - 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][client: app-measurement.com] - 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][client: mapi.apptimize.com][server: *.apptimize.com] - 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/SSL][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][client: venetia.iad.appboy.com][server: y.ssl.fastly.net] - 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][client: mapi.apptimize.com][server: *.apptimize.com] - 9 UDP 192.168.0.17:47171 <-> 18.201.4.32:7985 [proto: 144/Viber][cat: Chat/9][24 pkts/5035 bytes <-> 22 pkts/2302 bytes] - 10 UDP 192.168.0.17:38190 <-> 18.201.4.3:7985 [proto: 144/Viber][cat: Chat/9][25 pkts/4344 bytes <-> 18 pkts/1872 bytes] + 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/SSL.Viber][cat: VoIP/10][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][TLSv1][JA3C: d8c87b9bfde38897979e41242626c2f3] + 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/SSL.Viber][cat: VoIP/10][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][TLSv1][JA3C: d8c87b9bfde38897979e41242626c2f3] + 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/SSL.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039] + 4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: VoIP/10][32 pkts/6563 bytes <-> 26 pkts/2782 bytes] + 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][TLSv1.2][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164] + 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039] + 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/SSL][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: y.ssl.fastly.net][JA3S: 860fcf58fd757e26aa8911e5eaff6b53] + 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039] + 9 UDP 192.168.0.17:47171 <-> 18.201.4.32:7985 [proto: 144/Viber][cat: VoIP/10][24 pkts/5035 bytes <-> 22 pkts/2302 bytes] + 10 UDP 192.168.0.17:38190 <-> 18.201.4.3:7985 [proto: 144/Viber][cat: VoIP/10][25 pkts/4344 bytes <-> 18 pkts/1872 bytes] 11 ICMP 192.168.0.17:0 <-> 192.168.0.15:0 [proto: 81/ICMP][cat: Network/14][1 pkts/1514 bytes <-> 1 pkts/1514 bytes] 12 UDP 192.168.0.17:62872 <-> 192.168.0.15:53 [proto: 5/DNS][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/373 bytes][Host: mapi.apptimize.com] 13 TCP 192.168.0.17:33744 <-> 18.201.4.3:443 [proto: 91/SSL][cat: Web/5][4 pkts/272 bytes <-> 2 pkts/140 bytes] @@ -26,11 +26,11 @@ Amazon 71 24849 3 16 UDP 192.168.0.17:35283 <-> 192.168.0.15:53 [proto: 5/DNS][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/303 bytes][Host: app.adjust.com] 17 UDP 192.168.0.17:45743 <-> 192.168.0.15:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/78 bytes <-> 1 pkts/203 bytes][Host: graph.facebook.com] 18 UDP 192.168.0.17:44376 <-> 192.168.0.15:53 [proto: 5/DNS][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/183 bytes][Host: venetia.iad.appboy.com] - 19 UDP 192.168.0.17:37418 <-> 192.168.0.15:53 [proto: 5.144/DNS.Viber][cat: Chat/9][1 pkts/79 bytes <-> 1 pkts/185 bytes][Host: media.cdn.viber.com] - 20 UDP 192.168.0.17:40445 <-> 192.168.0.15:53 [proto: 5.144/DNS.Viber][cat: Chat/9][1 pkts/78 bytes <-> 1 pkts/185 bytes][Host: dl-media.viber.com] + 19 UDP 192.168.0.17:37418 <-> 192.168.0.15:53 [proto: 5.144/DNS.Viber][cat: VoIP/10][1 pkts/79 bytes <-> 1 pkts/185 bytes][Host: media.cdn.viber.com] + 20 UDP 192.168.0.17:40445 <-> 192.168.0.15:53 [proto: 5.144/DNS.Viber][cat: VoIP/10][1 pkts/78 bytes <-> 1 pkts/185 bytes][Host: dl-media.viber.com] 21 UDP 192.168.0.17:41993 <-> 172.217.23.106:443 [proto: 188.126/QUIC.Google][cat: Web/5][2 pkts/130 bytes <-> 1 pkts/64 bytes] 22 UDP 192.168.0.17:35331 <-> 192.168.0.15:53 [proto: 5/DNS][cat: Network/14][1 pkts/79 bytes <-> 1 pkts/95 bytes][Host: app-measurement.com] 23 UDP 192.168.0.17:50097 <-> 192.168.0.15:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/74 bytes <-> 1 pkts/90 bytes][Host: www.google.com] 24 ICMPV6 [fe80::3207:4dff:fea3:5fa7]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes] - 25 UDP 192.168.0.17:38190 <-> 18.201.4.3:7987 [proto: 144/Viber][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/62 bytes] - 26 UDP 192.168.0.17:47171 <-> 18.201.4.32:7987 [proto: 144/Viber][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/62 bytes] + 25 UDP 192.168.0.17:38190 <-> 18.201.4.3:7987 [proto: 144/Viber][cat: VoIP/10][1 pkts/76 bytes <-> 1 pkts/62 bytes] + 26 UDP 192.168.0.17:47171 <-> 18.201.4.32:7987 [proto: 144/Viber][cat: VoIP/10][1 pkts/76 bytes <-> 1 pkts/62 bytes] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index c321981a5..c654f4165 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -6,19 +6,19 @@ Google 13 2142 1 Waze 484 289335 19 WhatsApp 15 1341 1 - 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][server: *.world.waze.com] + 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][cat: Web/5][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Host: xtra1.gpsonextra.net] - 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][server: *.world.waze.com] - 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][server: *.world.waze.com] - 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][server: *.world.waze.com] - 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][server: *.world.waze.com] - 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][server: *.world.waze.com] - 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][server: *.waze.com] - 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][server: *.waze.com] - 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][server: *.world.waze.com] - 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][server: *.world.waze.com] - 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][server: *.world.waze.com] - 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][server: *.waze.com] + 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] + 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] + 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] + 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] 14 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Host: roadshields.waze.com] 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 64.126/SSL_No_Cert.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes] 16 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][8 pkts/594 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index ed5418eae..c5383f501 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -6,36 +6,36 @@ Google 17 6375 1 Webex 1380 818407 43 Amazon 33 9742 2 - 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][server: *.webex.com] - 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][client: radcom.webex.com] - 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][client: radcom.webex.com][server: *.webex.com] - 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][server: *.webex.com] - 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][server: *.webex.com] - 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][server: *.webex.com] - 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][server: *.webex.com] + 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][TLSv1][JA3C: f9010d8c34749bdf7659b52227e6f91b] + 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][TLSv1][JA3C: f9010d8c34749bdf7659b52227e6f91b] + 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] 8 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][cat: VoIP/10][22 pkts/15356 bytes -> 0 pkts/0 bytes] - 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][server: *.webex.com] - 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/SSL.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][client: api.crittercism.com][server: *.crittercism.com] - 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][server: *.webex.com] - 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][server: *.webex.com] - 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][server: *.webex.com] - 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][server: *.webex.com] - 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][server: *.webex.com] - 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] - 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] - 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][server: *.webex.com] - 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][server: *.webex.com] - 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][server: *.webex.com] - 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] - 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] - 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] - 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][client: ssl.google-analytics.com][server: *.google-analytics.com] - 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][server: *.webex.com] - 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][server: *.webex.com] - 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][server: *.webex.com] - 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][server: www.webex.com] - 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][server: *.webex.com] - 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][server: *.webex.com] + 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)] + 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/SSL.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)] + 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][TLSv1][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1] + 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] + 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes] 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes] 33 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes] @@ -44,21 +44,21 @@ Amazon 33 9742 2 36 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][7 pkts/1280 bytes <-> 6 pkts/453 bytes] 37 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][cat: Web/5][5 pkts/624 bytes <-> 5 pkts/767 bytes][Host: cp.pushwoosh.com] 38 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 141/Webex][cat: VoIP/10][14 pkts/1071 bytes <-> 2 pkts/100 bytes] - 39 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/614 bytes <-> 5 pkts/399 bytes][client: radcom.webex.com] - 40 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][5 pkts/560 bytes <-> 4 pkts/345 bytes][client: radcom.webex.com] - 41 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/501 bytes <-> 4 pkts/216 bytes] - 42 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 43 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 44 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 45 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 46 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 47 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 48 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 49 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][4 pkts/452 bytes <-> 4 pkts/216 bytes] - 50 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes] - 51 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes] - 52 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/299 bytes <-> 4 pkts/216 bytes] - 53 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][3 pkts/245 bytes <-> 2 pkts/108 bytes] + 39 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/614 bytes <-> 5 pkts/399 bytes][TLSv1][JA3C: f9010d8c34749bdf7659b52227e6f91b] + 40 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][5 pkts/560 bytes <-> 4 pkts/345 bytes][TLSv1][JA3C: f9010d8c34749bdf7659b52227e6f91b] + 41 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/501 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 42 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 43 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 44 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 45 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 46 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 47 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 48 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/427 bytes <-> 5 pkts/270 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 49 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][4 pkts/452 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333] + 50 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6] + 51 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/423 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6] + 52 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][4 pkts/299 bytes <-> 4 pkts/216 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] + 53 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][3 pkts/245 bytes <-> 2 pkts/108 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f] 54 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][cat: Web/5][3 pkts/209 bytes <-> 2 pkts/108 bytes] 55 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][2 pkts/128 bytes <-> 1 pkts/54 bytes] 56 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/SSL][cat: Web/5][1 pkts/66 bytes <-> 2 pkts/108 bytes] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index 6443cd402..e8f1f0db9 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -14,36 +14,36 @@ WeChat 1251 606425 49 GoogleDocs 15 5114 2 1 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 64.197/SSL_No_Cert.WeChat][cat: SocialNetwork/6][88 pkts/15114 bytes <-> 91 pkts/61842 bytes] - 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][client: web.wechat.com][server: web.wechat.com] - 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][client: web.wechat.com][server: web.wechat.com] - 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][client: web.wechat.com][server: web.wechat.com] - 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][client: web.wechat.com][server: web.wechat.com] - 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][client: web.wechat.com][server: web.wechat.com] - 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][client: web.wechat.com][server: web.wechat.com] - 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][client: web.wechat.com][server: web.wechat.com] - 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][client: web.wechat.com][server: web.wechat.com] - 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][client: web.wechat.com][server: web.wechat.com] - 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][client: web.wechat.com][server: web.wechat.com] - 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][client: web.wechat.com][server: web.wechat.com] - 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][client: web.wechat.com][server: web.wechat.com] - 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][client: web.wechat.com][server: web.wechat.com] - 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][client: web.wechat.com][server: web.wechat.com] - 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] - 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] - 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][client: web.wechat.com][server: web.wechat.com] - 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][client: web.wechat.com][server: web.wechat.com] - 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][client: web.wechat.com][server: web.wechat.com] - 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][client: res.wx.qq.com][server: wx.qq.com] - 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/SSL.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][client: safebrowsing.googleusercontent.com][server: *.googleusercontent.com] + 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][TLSv1][JA3C: 550dce18de1bb143e69d6dd9413b8355] + 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/SSL.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][TLSv1][JA3C: d551fafc4f40f1dec2bb45980bfa9492] 23 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Host: ssl.gstatic.com] 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.241/QUIC.GoogleDocs][cat: Media/1][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Host: docs.google.com] - 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] - 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] - 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][client: web.wechat.com][server: web.wechat.com] - 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] - 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] - 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] - 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][9 pkts/966 bytes <-> 6 pkts/3571 bytes][client: web.wechat.com][server: web.wechat.com] + 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] + 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][cat: SocialNetwork/6][9 pkts/966 bytes <-> 6 pkts/3571 bytes][TLSv1][JA3C: e330bca99c8a5256ae126a55c4c725c5] 32 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/4488 bytes -> 0 pkts/0 bytes] 33 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Host: ssl.gstatic.com] 34 UDP 192.168.1.103:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/3608 bytes -> 0 pkts/0 bytes] @@ -90,12 +90,12 @@ GoogleDocs 15 5114 2 75 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] 76 UDP [fe80::91f9:3df3:7436:6cd6]:49195 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: cansaqcq] 77 UDP [fe80::91f9:3df3:7436:6cd6]:50577 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: mcztmpkc] - 78 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] - 79 UDP 192.168.1.103:42856 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/170 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org.lan] - 80 UDP 192.168.1.103:45366 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 81 UDP 192.168.1.103:56367 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 82 UDP 192.168.1.103:41759 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 2.debian.pool.ntp.org] - 83 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org] + 78 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] + 79 UDP 192.168.1.103:42856 -> 192.168.1.254:53 [proto: 5.5/DNS][cat: Network/14][2 pkts/170 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org.lan] + 80 UDP 192.168.1.103:45366 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 81 UDP 192.168.1.103:56367 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 82 UDP 192.168.1.103:41759 -> 192.168.1.254:53 [proto: 5.5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 2.debian.pool.ntp.org] + 83 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5.5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org] 84 UDP 192.168.1.103:42074 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][2 pkts/158 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] 85 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] 86 UDP 192.168.1.100:49832 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: cansaqcq] @@ -107,12 +107,12 @@ GoogleDocs 15 5114 2 92 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes] 93 0 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/110 bytes -> 0 pkts/0 bytes] 94 UDP 192.168.1.103:37578 -> 193.204.114.233:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] - 95 UDP 192.168.1.103:44346 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] - 96 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] + 95 UDP 192.168.1.103:44346 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] + 96 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] 97 ICMPV6 [::]:0 -> [ff02::1:ff86:6c5b]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes] - 98 UDP 192.168.1.103:33915 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 99 UDP 192.168.1.103:43317 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 100 UDP 192.168.1.103:58165 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: SocialNetwork/6][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 98 UDP 192.168.1.103:33915 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 99 UDP 192.168.1.103:43317 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 100 UDP 192.168.1.103:58165 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] 101 UDP 192.168.1.103:59567 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/79 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] 102 UDP 192.168.1.103:42589 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/75 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com] 103 IGMP 192.168.1.108:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][1 pkts/54 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index b62f14fff..757e05465 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -17,7 +17,7 @@ Sina(Weibo) 419 258077 16 10 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][cat: Web/5][5 pkts/736 bytes <-> 4 pkts/863 bytes][Host: weibo.com] 11 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/604 bytes <-> 2 pkts/140 bytes][Host: js.t.sinajs.cn] 12 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/610 bytes <-> 1 pkts/66 bytes][Host: u1.img.mobile.sina.cn] - 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/SSL][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][client: g.alicdn.com] + 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/SSL][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][TLSv1][JA3C: 58e7f64db6e4fe4941dd9691d421196c] 14 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/75 bytes <-> 1 pkts/191 bytes][Host: img.t.sinajs.cn] 15 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/74 bytes <-> 1 pkts/190 bytes][Host: js.t.sinajs.cn] 16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/171 bytes][Host: g.alicdn.com] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 666b3d70a..11901a908 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -5,20 +5,19 @@ DHCP 10 3420 1 ICMP 10 700 1 SSL 8 589 2 Dropbox 4 2176 1 -Apple 105 22176 19 -WhatsApp 182 25154 2 +Apple 190 50263 21 +WhatsApp 187 25830 3 Spotify 3 258 1 -Messenger 70 9464 14 +Messenger 65 8788 13 WhatsAppVoice 706 91156 4 -AppleStore 85 28087 2 ApplePush 22 5926 1 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes] 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes] 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes] - 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.224/SSL.AppleStore][cat: SoftwareUpdate/19][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][client: p53-buy.itunes.apple.com] - 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][client: query.ess.apple.com][server: *.ess.apple.com] - 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.224/SSL.AppleStore][cat: SoftwareUpdate/19][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][client: p53-buy.itunes.apple.com] + 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)] + 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] + 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)] 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes] 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 189/WhatsAppVoice][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes] 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac] @@ -39,12 +38,12 @@ ApplePush 22 5926 1 24 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] 25 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] 26 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 27 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 27 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.142/STUN.WhatsApp][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] 28 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/SSL][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes] 29 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes] 30 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: query.ess.apple.com] 31 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e13.whatsapp.net] - 32 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Streaming/17][3 pkts/258 bytes -> 0 pkts/0 bytes] + 32 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes] 33 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes] 34 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes] 35 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 324b0cd4c..04aaaccf4 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -14,4 +14,4 @@ ApplePush 6 2095 1 6 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e12.whatsapp.net] 7 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/111 bytes -> 0 pkts/0 bytes] 8 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes] - 9 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Streaming/17][1 pkts/86 bytes -> 0 pkts/0 bytes] + 9 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out index a8bd6e497..e2e16cce8 100644 --- a/tests/result/whatsapp_voice_and_message.pcap.out +++ b/tests/result/whatsapp_voice_and_message.pcap.out @@ -1,5 +1,5 @@ -WhatsApp 217 22139 5 -Messenger 44 5916 8 +WhatsApp 222 22815 6 +Messenger 39 5240 7 1 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][cat: Chat/9][30 pkts/2539 bytes <-> 32 pkts/3070 bytes] 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][cat: Chat/9][24 pkts/3029 bytes <-> 22 pkts/1961 bytes] @@ -13,4 +13,4 @@ Messenger 44 5916 8 10 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] 11 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.157/STUN.Messenger][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.142/STUN.WhatsApp][cat: Chat/9][3 pkts/504 bytes <-> 2 pkts/172 bytes] diff --git a/tests/result/youtubeupload.pcap.out b/tests/result/youtubeupload.pcap.out index 6e65c9abd..835e63087 100644 --- a/tests/result/youtubeupload.pcap.out +++ b/tests/result/youtubeupload.pcap.out @@ -2,4 +2,4 @@ YouTubeUpload 137 127038 3 1 UDP 192.168.2.27:51925 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][80 pkts/100473 bytes <-> 20 pkts/6003 bytes][Host: upload.youtube.com] 2 UDP 192.168.2.27:62232 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][13 pkts/8651 bytes <-> 11 pkts/6463 bytes][Host: upload.youtube.com] - 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/SSL.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][client: upload.youtube.com][server: upload.video.google.com] + 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/SSL.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][TLSv1][JA3C: bc6c386f480ee97b9d9e52d472b772d8] |