aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--example/ndpiReader.c2
-rw-r--r--example/ndpiSimpleIntegration.c28
-rw-r--r--example/reader_util.c82
-rw-r--r--example/reader_util.h1
-rw-r--r--fuzz/Makefile.am2
-rw-r--r--fuzz/fuzz_process_packet.c10
-rw-r--r--python/ndpi.py44
-rw-r--r--python/ndpi_typestruct.py37
-rw-r--r--src/include/ndpi_typedefs.h73
-rw-r--r--src/lib/ndpi_main.c57
-rw-r--r--src/lib/ndpi_utils.c102
-rw-r--r--src/lib/protocols/dhcp.c120
-rw-r--r--src/lib/protocols/ftp_control.c22
-rw-r--r--src/lib/protocols/http.c6
-rw-r--r--src/lib/protocols/imo.c8
-rw-r--r--src/lib/protocols/kerberos.c71
-rw-r--r--src/lib/protocols/mail_imap.c10
-rw-r--r--src/lib/protocols/mail_pop.c12
-rw-r--r--src/lib/protocols/mail_smtp.c58
-rw-r--r--src/lib/protocols/quic.c30
-rw-r--r--src/lib/protocols/rtp.c2
-rw-r--r--src/lib/protocols/stun.c18
-rw-r--r--src/lib/protocols/tls.c210
-rw-r--r--tests/pcap/dhcp-fuzz.pcapngbin0 -> 9692 bytes
-rw-r--r--tests/pcap/kerberos_fuzz.pcapngbin0 -> 436 bytes
-rw-r--r--tests/result/1kxun.pcap.out4
-rw-r--r--tests/result/alexa-app.pcapng.out2
-rw-r--r--tests/result/dhcp-fuzz.pcapng.out7
-rw-r--r--tests/result/fuzz-2006-06-26-2594.pcap.out2
-rw-r--r--tests/result/kerberos_fuzz.pcapng.out7
-rw-r--r--tests/result/teams.pcap.out2
-rw-r--r--tests/result/telegram.pcap.out2
-rw-r--r--tests/result/zoom.pcap.out2
33 files changed, 560 insertions, 473 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index e646cc33d..ecbcafd1f 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1539,6 +1539,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
flow->bittorent_hash);
if(flow->dhcp_fingerprint) fprintf(out, "[DHCP Fingerprint: %s]",
flow->dhcp_fingerprint);
+ if(flow->dhcp_class_ident) fprintf(out, "[DHCP Class Ident: %s]",
+ flow->dhcp_class_ident);
if(flow->has_human_readeable_strings) fprintf(out, "[PLAIN TEXT (%s)]",
flow->human_readeable_string_buffer);
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index 2383279e4..d5cc728ad 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -914,7 +914,7 @@ static void ndpi_process_packet(uint8_t * const args,
flow_to_process->detected_l7_protocol.app_protocol == NDPI_PROTOCOL_TLS)
{
if (flow_to_process->tls_client_hello_seen == 0 &&
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.hello_processed != 0)
+ flow_to_process->ndpi_flow->protos.tls_quic.hello_processed != 0)
{
uint8_t unknown_tls_version = 0;
printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | alpn: %s\n",
@@ -922,11 +922,11 @@ static void ndpi_process_packet(uint8_t * const args,
reader_thread->array_index,
flow_to_process->flow_id,
ndpi_ssl_version2str(flow_to_process->ndpi_flow,
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.ssl_version,
+ flow_to_process->ndpi_flow->protos.tls_quic.ssl_version,
&unknown_tls_version),
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
- (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn != NULL ?
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn : "-"));
+ flow_to_process->ndpi_flow->protos.tls_quic.client_requested_server_name,
+ (flow_to_process->ndpi_flow->protos.tls_quic.alpn != NULL ?
+ flow_to_process->ndpi_flow->protos.tls_quic.alpn : "-"));
flow_to_process->tls_client_hello_seen = 1;
}
if (flow_to_process->tls_server_hello_seen == 0 &&
@@ -939,16 +939,16 @@ static void ndpi_process_packet(uint8_t * const args,
reader_thread->array_index,
flow_to_process->flow_id,
ndpi_ssl_version2str(flow_to_process->ndpi_flow,
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.ssl_version,
+ flow_to_process->ndpi_flow->protos.tls_quic.ssl_version,
&unknown_tls_version),
- (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len == 0 ?
- 1 : flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len),
- (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names == NULL ?
- "-" : flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names),
- (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN != NULL ?
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN : "-"),
- (flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.subjectDN != NULL ?
- flow_to_process->ndpi_flow->protos.tls_quic_stun.tls_quic.subjectDN : "-"));
+ (flow_to_process->ndpi_flow->protos.tls_quic.server_names_len == 0 ?
+ 1 : flow_to_process->ndpi_flow->protos.tls_quic.server_names_len),
+ (flow_to_process->ndpi_flow->protos.tls_quic.server_names == NULL ?
+ "-" : flow_to_process->ndpi_flow->protos.tls_quic.server_names),
+ (flow_to_process->ndpi_flow->protos.tls_quic.issuerDN != NULL ?
+ flow_to_process->ndpi_flow->protos.tls_quic.issuerDN : "-"),
+ (flow_to_process->ndpi_flow->protos.tls_quic.subjectDN != NULL ?
+ flow_to_process->ndpi_flow->protos.tls_quic.subjectDN : "-"));
flow_to_process->tls_server_hello_seen = 1;
}
}
diff --git a/example/reader_util.c b/example/reader_util.c
index 5cb8621a4..3a161d684 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -451,6 +451,10 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) {
ndpi_free(flow->dhcp_fingerprint);
flow->dhcp_fingerprint = NULL;
}
+ if(flow->dhcp_class_ident) {
+ ndpi_free(flow->dhcp_class_ident);
+ flow->dhcp_class_ident = NULL;
+ }
if(flow->bittorent_hash) {
ndpi_free(flow->bittorent_hash);
@@ -1072,6 +1076,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP)) {
if(flow->ndpi_flow->protos.dhcp.fingerprint[0] != '\0')
flow->dhcp_fingerprint = ndpi_strdup(flow->ndpi_flow->protos.dhcp.fingerprint);
+ if(flow->ndpi_flow->protos.dhcp.class_ident[0] != '\0')
+ flow->dhcp_class_ident = ndpi_strdup(flow->ndpi_flow->protos.dhcp.class_ident);
} else if(is_ndpi_proto(flow, NDPI_PROTOCOL_BITTORRENT)) {
u_int j;
@@ -1111,11 +1117,11 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
|| /* IMAP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_IMAP)
|| /* POP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_POP)
|| /* SMTP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_SMTP)) {
- if(flow->ndpi_flow->protos.ftp_imap_pop_smtp.username[0] != '\0')
+ if(flow->ndpi_flow->ftp_imap_pop_smtp.username[0] != '\0')
snprintf(flow->info, sizeof(flow->info), "User: %s][Pwd: %s%s",
- flow->ndpi_flow->protos.ftp_imap_pop_smtp.username,
- flow->ndpi_flow->protos.ftp_imap_pop_smtp.password,
- flow->ndpi_flow->protos.ftp_imap_pop_smtp.auth_failed ? "][Auth Failed" : "");
+ flow->ndpi_flow->ftp_imap_pop_smtp.username,
+ flow->ndpi_flow->ftp_imap_pop_smtp.password,
+ flow->ndpi_flow->ftp_imap_pop_smtp.auth_failed ? "][Auth Failed" : "");
}
/* KERBEROS */
else if(is_ndpi_proto(flow, NDPI_PROTOCOL_KERBEROS)) {
@@ -1169,77 +1175,77 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
else if((is_ndpi_proto(flow, NDPI_PROTOCOL_TLS))
|| ((is_quic = is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC)))
|| (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
- || (flow->ndpi_flow->protos.tls_quic_stun.tls_quic.ja3_client[0] != '\0')
+ || (flow->ndpi_flow->protos.tls_quic.ja3_client[0] != '\0')
) {
- flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.ssl_version;
+ flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version;
snprintf(flow->ssh_tls.client_requested_server_name,
sizeof(flow->ssh_tls.client_requested_server_name), "%s",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+ flow->ndpi_flow->protos.tls_quic.client_requested_server_name);
snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : "");
- if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names_len > 0 && flow->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names)
- flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.server_names);
+ if(flow->ndpi_flow->protos.tls_quic.server_names_len > 0 && flow->ndpi_flow->protos.tls_quic.server_names)
+ flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.server_names);
- flow->ssh_tls.notBefore = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.notBefore;
- flow->ssh_tls.notAfter = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.notAfter;
+ flow->ssh_tls.notBefore = flow->ndpi_flow->protos.tls_quic.notBefore;
+ flow->ssh_tls.notAfter = flow->ndpi_flow->protos.tls_quic.notAfter;
snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.ja3_client);
+ flow->ndpi_flow->protos.tls_quic.ja3_client);
snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.ja3_server);
- flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher;
- flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.server_cipher;
+ flow->ndpi_flow->protos.tls_quic.ja3_server);
+ flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.tls_quic.server_unsafe_cipher;
+ flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.tls_quic.server_cipher;
if(flow->ndpi_flow->l4.tcp.tls.fingerprint_set) {
memcpy(flow->ssh_tls.sha1_cert_fingerprint,
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint, 20);
+ flow->ndpi_flow->protos.tls_quic.sha1_certificate_fingerprint, 20);
flow->ssh_tls.sha1_cert_fingerprint_set = 1;
}
- flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.browser_heuristics;
+ flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics;
- if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn) {
- if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn)) != NULL)
+ if(flow->ndpi_flow->protos.tls_quic.alpn) {
+ if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.alpn)) != NULL)
correct_csv_data_field(flow->ssh_tls.tls_alpn);
}
- if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN)
- flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.issuerDN);
+ if(flow->ndpi_flow->protos.tls_quic.issuerDN)
+ flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic.issuerDN);
- if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.subjectDN)
- flow->ssh_tls.tls_subjectDN = strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.subjectDN);
+ if(flow->ndpi_flow->protos.tls_quic.subjectDN)
+ flow->ssh_tls.tls_subjectDN = strdup(flow->ndpi_flow->protos.tls_quic.subjectDN);
- if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni) {
- flow->ssh_tls.encrypted_sni.esni = strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni);
- flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic_stun.tls_quic.encrypted_sni.cipher_suite;
+ if(flow->ndpi_flow->protos.tls_quic.encrypted_sni.esni) {
+ flow->ssh_tls.encrypted_sni.esni = strdup(flow->ndpi_flow->protos.tls_quic.encrypted_sni.esni);
+ flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic.encrypted_sni.cipher_suite;
}
if(flow->ssh_tls.tls_supported_versions) {
- if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)) != NULL)
+ if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL)
correct_csv_data_field(flow->ssh_tls.tls_supported_versions);
}
- if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn
- && flow->ndpi_flow->protos.tls_quic_stun.tls_quic.tls_supported_versions) {
- correct_csv_data_field(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn);
- correct_csv_data_field(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
+ if(flow->ndpi_flow->protos.tls_quic.alpn
+ && flow->ndpi_flow->protos.tls_quic.tls_supported_versions) {
+ correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn);
+ correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.tls_supported_versions);
if(csv_fp)
snprintf(flow->info, sizeof(flow->info), "%s",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn);
+ flow->ndpi_flow->protos.tls_quic.alpn);
else
snprintf(flow->info, sizeof(flow->info), "ALPN: %s][TLS Supported Versions: %s",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn,
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
- } else if(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn) {
- correct_csv_data_field(flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn);
+ flow->ndpi_flow->protos.tls_quic.alpn,
+ flow->ndpi_flow->protos.tls_quic.tls_supported_versions);
+ } else if(flow->ndpi_flow->protos.tls_quic.alpn) {
+ correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn);
if(csv_fp)
snprintf(flow->info, sizeof(flow->info), "%s,",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn);
+ flow->ndpi_flow->protos.tls_quic.alpn);
else
snprintf(flow->info, sizeof(flow->info), "ALPN: %s",
- flow->ndpi_flow->protos.tls_quic_stun.tls_quic.alpn);
+ flow->ndpi_flow->protos.tls_quic.alpn);
}
if(enable_doh_dot_detection) {
diff --git a/example/reader_util.h b/example/reader_util.h
index 01955129a..bb4747ecc 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -200,6 +200,7 @@ typedef struct ndpi_flow_info {
char host_server_name[240];
char *bittorent_hash;
char *dhcp_fingerprint;
+ char *dhcp_class_ident;
ndpi_risk risk;
struct {
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index ade21ac5a..dc149968a 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -46,7 +46,7 @@ fuzz_ndpi_reader_with_main_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS
# required for Google oss-fuzz
# see https://github.com/google/oss-fuzz/tree/master/projects/ndpi
-testpcaps := $(wildcard ../tests/pcap/*.pcap)
+testpcaps := $(wildcard ../tests/pcap/*.pcap*)
fuzz_ndpi_reader_seed_corpus.zip: $(testpcaps)
zip -r fuzz_ndpi_reader_seed_corpus.zip $(testpcaps)
diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c
index 9efd80799..b8780b7a8 100644
--- a/fuzz/fuzz_process_packet.c
+++ b/fuzz/fuzz_process_packet.c
@@ -8,13 +8,18 @@ struct ndpi_id_struct *src;
struct ndpi_id_struct *dst;
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ uint8_t protocol_was_guessed;
+
if (ndpi_info_mod == NULL) {
- ndpi_info_mod = ndpi_init_detection_module(ndpi_no_prefs);
- NDPI_PROTOCOL_BITMASK all;
+ ndpi_info_mod = ndpi_init_detection_module(ndpi_enable_ja3_plus);
+ NDPI_PROTOCOL_BITMASK all, debug_bitmask;
NDPI_BITMASK_SET_ALL(all);
+ NDPI_BITMASK_SET_ALL(debug_bitmask);
ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all);
src = ndpi_malloc(SIZEOF_ID_STRUCT);
dst = ndpi_malloc(SIZEOF_ID_STRUCT);
+ ndpi_set_log_level(ndpi_info_mod, 4);
+ ndpi_set_debug_bitmask(ndpi_info_mod, debug_bitmask);
ndpi_finalize_initialization(ndpi_info_mod);
}
@@ -23,6 +28,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
memset(src, 0, SIZEOF_ID_STRUCT);
memset(dst, 0, SIZEOF_ID_STRUCT);
ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, src, dst);
+ ndpi_detection_giveup(ndpi_info_mod, ndpi_flow, 1, &protocol_was_guessed);
ndpi_free_flow(ndpi_flow);
return 0;
diff --git a/python/ndpi.py b/python/ndpi.py
index 48103e777..a31a41a17 100644
--- a/python/ndpi.py
+++ b/python/ndpi.py
@@ -644,6 +644,13 @@ struct ndpi_flow_udp_struct {
/* NDPI_PROTOCOL_CSGO */
uint8_t csgo_strid[18],csgo_state,csgo_s2;
uint32_t csgo_id2;
+
+ /* NDPI_PROTOCOL_RDP */
+ u_int8_t rdp_to_srv[3], rdp_from_srv[3], rdp_to_srv_pkts, rdp_from_srv_pkts;
+
+ /* NDPI_PROTOCOL_IMO */
+ uint8_t imo_last_one_byte_pkt, imo_last_byte;
+
};
struct ndpi_int_one_line_struct {
@@ -999,6 +1006,7 @@ struct ndpi_flow_struct {
uint8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */
uint16_t response_status_code; /* 200, 404, etc. */
uint8_t detected_os[32]; /* Via HTTP/QUIC User-Agent */
+ uint8_t nat_ip[24];
} http;
@@ -1011,6 +1019,18 @@ struct ndpi_flow_struct {
char *pktbuf;
uint16_t pktbuf_maxlen, pktbuf_currlen;
} kerberos_buf;
+
+ struct {
+ u_int8_t num_udp_pkts, num_binding_requests;
+ u_int16_t num_processed_pkts;
+ } stun;
+
+ /* TODO: something clever to save memory */
+ struct {
+ uint8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4;
+ char username[32], password[16];
+ } ftp_imap_pop_smtp;
+
union {
/* the only fields useful for nDPI and ntopng */
struct {
@@ -1029,7 +1049,6 @@ struct ndpi_flow_struct {
} kerberos;
struct {
- struct {
char ssl_version_str[12];
uint16_t ssl_version, server_names_len;
char client_requested_server_name[64], *server_names,
@@ -1044,14 +1063,7 @@ struct ndpi_flow_struct {
char *esni;
} encrypted_sni;
ndpi_cipher_weakness server_unsafe_cipher;
- } ssl;
-
- struct {
- uint8_t num_udp_pkts, num_processed_pkts, num_binding_requests;
- } stun;
-
- /* We can have STUN over SSL/TLS thus they need to live together */
- } stun_ssl;
+ } tls_quic;
struct {
char client_signature[48], server_signature[48];
@@ -1059,10 +1071,6 @@ struct ndpi_flow_struct {
} ssh;
struct {
- uint8_t last_one_byte_pkt, last_byte;
- } imo;
-
- struct {
uint8_t username_detected:1, username_found:1,
password_detected:1, password_found:1,
pad:4;
@@ -1079,16 +1087,6 @@ struct ndpi_flow_struct {
} ubntac2;
struct {
- /* Via HTTP X-Forwarded-For */
- uint8_t nat_ip[24];
- } http;
-
- struct {
- uint8_t auth_found:1, auth_failed:1, auth_tls:1, _pad:5;
- char username[16], password[16];
- } ftp_imap_pop_smtp;
-
- struct {
/* Bittorrent hash */
uint8_t hash[20];
} bittorrent;
diff --git a/python/ndpi_typestruct.py b/python/ndpi_typestruct.py
index 606bf6576..09c1f7d7e 100644
--- a/python/ndpi_typestruct.py
+++ b/python/ndpi_typestruct.py
@@ -406,6 +406,12 @@ class NDPIFlowUdpStruct(Structure):
('csgo_state', c_uint8),
('csgo_s2', c_uint8),
('csgo_id2', c_uint32),
+ ('rdp_to_srv', c_uint8 * 3),
+ ('rdp_from_srv', c_uint8 * 3),
+ ('rdp_to_srv_pkts,', c_uint8),
+ ('rdp_from_srv_pkts', c_uint8),
+ ('imo_last_one_byte_pkt,', c_uint8),
+ ('imo_last_byte', c_uint8),
]
@@ -423,6 +429,7 @@ class Http(Structure):
("request_version", c_uint8),
("response_status_code", c_uint16),
("detected_os", c_char * 32),
+ ("nat_ip", c_char * 24),
]
@@ -449,7 +456,7 @@ class Kerberos(Structure):
("realm", c_char * 24)]
-class Ssl(Structure):
+class QuicSsl(Structure):
_fields_ = [
("ssl_version", c_uint16),
("client_certificate", c_char * 64),
@@ -472,10 +479,6 @@ class Stun(Structure):
]
-class StunSsl(Structure):
- _fields_ = [("ssl", Ssl), ("stun", Stun)]
-
-
class Ssh(Structure):
_fields_ = [
("client_signature", c_char * 48),
@@ -485,13 +488,6 @@ class Ssh(Structure):
]
-class Imo(Structure):
- _fields_ = [
- ("last_one_byte_pkt", c_uint8),
- ("last_byte", c_uint8)
- ]
-
-
class Mdns(Structure):
_fields_ = [("answer", c_char * 96)]
@@ -500,18 +496,14 @@ class Ubntac2(Structure):
_fields_ = [("version", c_char * 32)]
-class Http2(Structure):
- _fields_ = [
- ("nat_ip", c_char * 24)
- ]
-
class FtpImapPopSmtp(Structure):
_fields_ = [
("auth_found", c_uint8, 1),
("auth_failed", c_uint8, 1),
("auth_tls", c_uint8, 1),
- ("_pad", c_uint8, 5),
- ("username", c_char * 16),
+ ("auth_done", c_uint8, 1),
+ ("_pad", c_uint8, 4),
+ ("username", c_char * 32),
("password", c_char * 16)
]
@@ -530,13 +522,10 @@ class Protos(Union):
_fields_ = [
("dns", Dns),
("kerberos", Kerberos),
- ("stun_ssl", StunSsl),
+ ("quic_ssl", QuicSsl),
("ssh", Ssh),
- ("imo", Imo),
("mdns", Mdns),
("ubntac2", Ubntac2),
- ("http", Http2),
- ("ftp_imap_pop_smtp", FtpImapPopSmtp),
("bittorrent", Bittorrent),
("dhcp", Dhcp)
]
@@ -699,6 +688,8 @@ NDPIFlowStruct._fields_ = [
("l4", L4),
("host_server_name", c_ubyte * 256),
("http", Http),
+ ("stun", Stun),
+ ("ftp_imap_pop_smtp", FtpImapPopSmtp),
("protos", Protos),
("excluded_protocol_bitmask", NDPIProtocolBitMask),
("category", c_int),
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index a57988feb..06bb4b4ae 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -788,6 +788,9 @@ struct ndpi_flow_udp_struct {
/* NDPI_PROTOCOL_RDP */
u_int8_t rdp_to_srv[3], rdp_from_srv[3], rdp_to_srv_pkts, rdp_from_srv_pkts;
+
+ /* NDPI_PROTOCOL_IMO */
+ u_int8_t imo_last_one_byte_pkt, imo_last_byte;
};
/* ************************************************** */
@@ -1248,6 +1251,7 @@ struct ndpi_flow_struct {
u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */
u_int16_t response_status_code; /* 200, 404, etc. */
u_char detected_os[32]; /* Via HTTP/QUIC User-Agent */
+ u_char nat_ip[24]; /* Via HTTP X-Forwarded-For */
} http;
/*
@@ -1260,6 +1264,17 @@ struct ndpi_flow_struct {
u_int16_t pktbuf_maxlen, pktbuf_currlen;
} kerberos_buf;
+ struct {
+ u_int8_t num_udp_pkts, num_binding_requests;
+ u_int16_t num_processed_pkts;
+ } stun;
+
+ /* TODO: something clever to save memory */
+ struct {
+ u_int8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4;
+ char username[32], password[16];
+ } ftp_imap_pop_smtp;
+
union {
/* the only fields useful for nDPI and ntopng */
struct {
@@ -1278,39 +1293,31 @@ struct ndpi_flow_struct {
} kerberos;
struct {
- struct {
- char ssl_version_str[12];
- u_int16_t ssl_version, server_names_len;
- char client_requested_server_name[256], /* SNI hostname length: RFC 4366 */
+ char ssl_version_str[12];
+ u_int16_t ssl_version, server_names_len;
+ char client_requested_server_name[256]; /* SNI hostname length: RFC 4366 */
+ char
*server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN;
- u_int32_t notBefore, notAfter;
- char ja3_client[33], ja3_server[33];
- u_int16_t server_cipher;
- u_int8_t sha1_certificate_fingerprint[20];
- u_int8_t hello_processed:1, subprotocol_detected:1, _pad:6;
+ u_int32_t notBefore, notAfter;
+ char ja3_client[33], ja3_server[33];
+ u_int16_t server_cipher;
+ u_int8_t sha1_certificate_fingerprint[20];
+ u_int8_t hello_processed:1, subprotocol_detected:1, _pad:6;
#ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
- /* Under #ifdef to save memory for those who do not need them */
- u_int8_t num_tls_signature_algorithms;
- u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS];
+ /* Under #ifdef to save memory for those who do not need them */
+ u_int8_t num_tls_signature_algorithms;
+ u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS];
#endif
- struct tls_heuristics browser_heuristics;
-
- struct {
- u_int16_t cipher_suite;
- char *esni;
- } encrypted_sni;
- ndpi_cipher_weakness server_unsafe_cipher;
- } tls_quic;
+ struct tls_heuristics browser_heuristics;
struct {
- u_int8_t num_udp_pkts, num_binding_requests;
- u_int16_t num_processed_pkts;
- } stun;
-
- /* We can have STUN over SSL/TLS thus they need to live together */
- } tls_quic_stun;
+ u_int16_t cipher_suite;
+ char *esni;
+ } encrypted_sni;
+ ndpi_cipher_weakness server_unsafe_cipher;
+ } tls_quic;
struct {
char client_signature[48], server_signature[48];
@@ -1318,10 +1325,6 @@ struct ndpi_flow_struct {
} ssh;
struct {
- u_int8_t last_one_byte_pkt, last_byte;
- } imo;
-
- struct {
u_int8_t username_detected:1, username_found:1,
password_detected:1, password_found:1,
_pad:4;
@@ -1334,16 +1337,6 @@ struct ndpi_flow_struct {
} ubntac2;
struct {
- /* Via HTTP X-Forwarded-For */
- u_char nat_ip[24];
- } http;
-
- struct {
- u_int8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4;
- char username[32], password[16];
- } ftp_imap_pop_smtp;
-
- struct {
/* Bittorrent hash */
u_char hash[20];
} bittorrent;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7e7ecb13c..4fd952f77 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4298,23 +4298,23 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
flow_is_proto(flow, NDPI_PROTOCOL_MAIL_SMTPS) ||
flow_is_proto(flow, NDPI_PROTOCOL_MAIL_POPS) ||
flow_is_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS)) {
- if(flow->protos.tls_quic_stun.tls_quic.server_names)
- ndpi_free(flow->protos.tls_quic_stun.tls_quic.server_names);
+ if(flow->protos.tls_quic.server_names)
+ ndpi_free(flow->protos.tls_quic.server_names);
- if(flow->protos.tls_quic_stun.tls_quic.alpn)
- ndpi_free(flow->protos.tls_quic_stun.tls_quic.alpn);
+ if(flow->protos.tls_quic.alpn)
+ ndpi_free(flow->protos.tls_quic.alpn);
- if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
- ndpi_free(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
+ if(flow->protos.tls_quic.tls_supported_versions)
+ ndpi_free(flow->protos.tls_quic.tls_supported_versions);
- if(flow->protos.tls_quic_stun.tls_quic.issuerDN)
- ndpi_free(flow->protos.tls_quic_stun.tls_quic.issuerDN);
+ if(flow->protos.tls_quic.issuerDN)
+ ndpi_free(flow->protos.tls_quic.issuerDN);
- if(flow->protos.tls_quic_stun.tls_quic.subjectDN)
- ndpi_free(flow->protos.tls_quic_stun.tls_quic.subjectDN);
+ if(flow->protos.tls_quic.subjectDN)
+ ndpi_free(flow->protos.tls_quic.subjectDN);
- if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni)
- ndpi_free(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni);
+ if(flow->protos.tls_quic.encrypted_sni.esni)
+ ndpi_free(flow->protos.tls_quic.encrypted_sni.esni);
}
if(flow->l4_proto == IPPROTO_TCP) {
@@ -4915,13 +4915,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN);
}
- else if((flow->protos.tls_quic_stun.tls_quic.hello_processed == 1) &&
- (flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')) {
+ else if((flow->protos.tls_quic.hello_processed == 1) &&
+ (flow->protos.tls_quic.client_requested_server_name[0] != '\0')) {
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
} else if(enable_guess) {
if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->l4_proto == IPPROTO_TCP) &&
- flow->protos.tls_quic_stun.tls_quic.hello_processed)
+ flow->protos.tls_quic.hello_processed)
flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id;
@@ -4941,8 +4941,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
flow->guessed_protocol_id = guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN;
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) || (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
- if((guessed_protocol_id == 0) && (flow->protos.tls_quic_stun.stun.num_binding_requests > 0) &&
- (flow->protos.tls_quic_stun.stun.num_processed_pkts > 0))
+ if((guessed_protocol_id == 0) && (flow->stun.num_binding_requests > 0) &&
+ (flow->stun.num_processed_pkts > 0))
guessed_protocol_id = NDPI_PROTOCOL_STUN;
if(flow->host_server_name[0] != '\0') {
@@ -4983,9 +4983,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) &&
(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
check_stun_export:
- /* if(flow->protos.tls_quic_stun.stun.num_processed_pkts || flow->protos.tls_quic_stun.stun.num_udp_pkts) */
+ /* if(flow->protos.stun.num_processed_pkts || flow->protos.stun.num_udp_pkts) */
{
- // if(/* (flow->protos.tls_quic_stun.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
+ // if(/* (flow->protos.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_STUN);
}
@@ -5207,11 +5207,11 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
}
}
- if(flow->protos.tls_quic_stun.tls_quic.hello_processed == 1 &&
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
+ if(flow->protos.tls_quic.hello_processed == 1 &&
+ flow->protos.tls_quic.client_requested_server_name[0] != '\0') {
u_int32_t id;
- int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
- strlen(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name), &id);
+ int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.tls_quic.client_requested_server_name,
+ strlen(flow->protos.tls_quic.client_requested_server_name), &id);
if(rc == 0) {
flow->category = ret->category = (ndpi_protocol_category_t) id;
@@ -7222,9 +7222,9 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
case NDPI_PROTOCOL_MAIL_POP:
case NDPI_PROTOCOL_MAIL_IMAP:
case NDPI_PROTOCOL_MAIL_SMTP:
- if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0' &&
- flow->protos.ftp_imap_pop_smtp.auth_tls == 0 &&
- flow->protos.ftp_imap_pop_smtp.auth_done == 0)
+ if(flow->ftp_imap_pop_smtp.password[0] == '\0' &&
+ flow->ftp_imap_pop_smtp.auth_tls == 0 &&
+ flow->ftp_imap_pop_smtp.auth_done == 0)
return(1);
break;
@@ -7247,6 +7247,11 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
if(flow->extra_packets_func)
return(1);
break;
+
+ case NDPI_PROTOCOL_KERBEROS:
+ if(flow->extra_packets_func)
+ return(1);
+ break;
}
return(0);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index a9361f7c5..626f5ade3 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -865,9 +865,9 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const
return (char const *)flow->host_server_name;
case NDPI_PROTOCOL_QUIC:
case NDPI_PROTOCOL_TLS:
- if (flow->protos.tls_quic_stun.tls_quic.hello_processed != 0)
+ if (flow->protos.tls_quic.hello_processed != 0)
{
- return flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
+ return flow->protos.tls_quic.client_requested_server_name;
}
break;
}
@@ -930,10 +930,10 @@ char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow,
*unknown_tls_version = 1;
if(flow != NULL) {
- snprintf(flow->protos.tls_quic_stun.tls_quic.ssl_version_str,
- sizeof(flow->protos.tls_quic_stun.tls_quic.ssl_version_str), "TLS (%04X)", version);
+ snprintf(flow->protos.tls_quic.ssl_version_str,
+ sizeof(flow->protos.tls_quic.ssl_version_str), "TLS (%04X)", version);
- return(flow->protos.tls_quic_stun.tls_quic.ssl_version_str);
+ return(flow->protos.tls_quic.ssl_version_str);
} else
return("");
}
@@ -1150,7 +1150,9 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) {
case NDPI_PROTOCOL_DHCP:
ndpi_serialize_start_of_block(serializer, "dhcp");
+ ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name);
ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint);
+ ndpi_serialize_string_string(serializer, "class_ident", flow->protos.dhcp.class_ident);
ndpi_serialize_end_of_block(serializer);
break;
@@ -1238,54 +1240,54 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_QUIC:
ndpi_serialize_start_of_block(serializer, "quic");
- if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')
+ if(flow->protos.tls_quic.client_requested_server_name[0] != '\0')
ndpi_serialize_string_string(serializer, "client_requested_server_name",
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
- if(flow->protos.tls_quic_stun.tls_quic.server_names)
- ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic_stun.tls_quic.server_names);
+ flow->protos.tls_quic.client_requested_server_name);
+ if(flow->protos.tls_quic.server_names)
+ ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic.server_names);
if(flow->http.user_agent)
ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
- if(flow->protos.tls_quic_stun.tls_quic.ssl_version) {
+ if(flow->protos.tls_quic.ssl_version) {
u_int8_t unknown_tls_version;
- char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version);
+ char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic.ssl_version, &unknown_tls_version);
if(!unknown_tls_version)
ndpi_serialize_string_string(serializer, "version", version);
- if(flow->protos.tls_quic_stun.tls_quic.alpn)
- ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic_stun.tls_quic.alpn);
- ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic_stun.tls_quic.ja3_client);
- if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
- ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
+ if(flow->protos.tls_quic.alpn)
+ ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic.alpn);
+ ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic.ja3_client);
+ if(flow->protos.tls_quic.tls_supported_versions)
+ ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic.tls_supported_versions);
}
ndpi_serialize_end_of_block(serializer);
break;
case NDPI_PROTOCOL_MAIL_IMAP:
ndpi_serialize_start_of_block(serializer, "imap");
- ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
- ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
+ ndpi_serialize_string_string(serializer, "user", flow->ftp_imap_pop_smtp.username);
+ ndpi_serialize_string_string(serializer, "password", flow->ftp_imap_pop_smtp.password);
ndpi_serialize_end_of_block(serializer);
break;
case NDPI_PROTOCOL_MAIL_POP:
ndpi_serialize_start_of_block(serializer, "pop");
- ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
- ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
+ ndpi_serialize_string_string(serializer, "user", flow->ftp_imap_pop_smtp.username);
+ ndpi_serialize_string_string(serializer, "password", flow->ftp_imap_pop_smtp.password);
ndpi_serialize_end_of_block(serializer);
break;
case NDPI_PROTOCOL_MAIL_SMTP:
ndpi_serialize_start_of_block(serializer, "smtp");
- ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
- ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
+ ndpi_serialize_string_string(serializer, "user", flow->ftp_imap_pop_smtp.username);
+ ndpi_serialize_string_string(serializer, "password", flow->ftp_imap_pop_smtp.password);
ndpi_serialize_end_of_block(serializer);
break;
case NDPI_PROTOCOL_FTP_CONTROL:
ndpi_serialize_start_of_block(serializer, "ftp");
- ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
- ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
- ndpi_serialize_string_uint32(serializer, "auth_failed", flow->protos.ftp_imap_pop_smtp.auth_failed);
+ ndpi_serialize_string_string(serializer, "user", flow->ftp_imap_pop_smtp.username);
+ ndpi_serialize_string_string(serializer, "password", flow->ftp_imap_pop_smtp.password);
+ ndpi_serialize_string_uint32(serializer, "auth_failed", flow->ftp_imap_pop_smtp.auth_failed);
ndpi_serialize_end_of_block(serializer);
break;
@@ -1300,25 +1302,25 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_TLS:
case NDPI_PROTOCOL_DTLS:
- if(flow->protos.tls_quic_stun.tls_quic.ssl_version) {
+ if(flow->protos.tls_quic.ssl_version) {
char notBefore[32], notAfter[32];
struct tm a, b, *before = NULL, *after = NULL;
u_int i, off;
u_int8_t unknown_tls_version;
- char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version);
+ char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic.ssl_version, &unknown_tls_version);
- if(flow->protos.tls_quic_stun.tls_quic.notBefore)
- before = gmtime_r((const time_t *)&flow->protos.tls_quic_stun.tls_quic.notBefore, &a);
- if(flow->protos.tls_quic_stun.tls_quic.notAfter)
- after = gmtime_r((const time_t *)&flow->protos.tls_quic_stun.tls_quic.notAfter, &b);
+ if(flow->protos.tls_quic.notBefore)
+ before = gmtime_r((const time_t *)&flow->protos.tls_quic.notBefore, &a);
+ if(flow->protos.tls_quic.notAfter)
+ after = gmtime_r((const time_t *)&flow->protos.tls_quic.notAfter, &b);
if(!unknown_tls_version) {
ndpi_serialize_start_of_block(serializer, "tls");
ndpi_serialize_string_string(serializer, "version", version);
ndpi_serialize_string_string(serializer, "client_requested_server_name",
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
- if(flow->protos.tls_quic_stun.tls_quic.server_names)
- ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic_stun.tls_quic.server_names);
+ flow->protos.tls_quic.client_requested_server_name);
+ if(flow->protos.tls_quic.server_names)
+ ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic.server_names);
if(before) {
strftime(notBefore, sizeof(notBefore), "%Y-%m-%d %H:%M:%S", before);
@@ -1329,27 +1331,27 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
strftime(notAfter, sizeof(notAfter), "%Y-%m-%d %H:%M:%S", after);
ndpi_serialize_string_string(serializer, "notafter", notAfter);
}
- ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic_stun.tls_quic.ja3_client);
- ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic_stun.tls_quic.ja3_server);
- ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher);
- ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.tls_quic_stun.tls_quic.server_cipher));
+ ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic.ja3_client);
+ ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic.ja3_server);
+ ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic.server_unsafe_cipher);
+ ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.tls_quic.server_cipher));
- if(flow->protos.tls_quic_stun.tls_quic.issuerDN)
- ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic_stun.tls_quic.issuerDN);
+ if(flow->protos.tls_quic.issuerDN)
+ ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic.issuerDN);
- if(flow->protos.tls_quic_stun.tls_quic.subjectDN)
- ndpi_serialize_string_string(serializer, "subjectDN", flow->protos.tls_quic_stun.tls_quic.subjectDN);
+ if(flow->protos.tls_quic.subjectDN)
+ ndpi_serialize_string_string(serializer, "subjectDN", flow->protos.tls_quic.subjectDN);
- if(flow->protos.tls_quic_stun.tls_quic.alpn)
- ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic_stun.tls_quic.alpn);
+ if(flow->protos.tls_quic.alpn)
+ ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic.alpn);
- if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
- ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
+ if(flow->protos.tls_quic.tls_supported_versions)
+ ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic.tls_supported_versions);
- if(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[0] != '\0') {
+ if(flow->protos.tls_quic.sha1_certificate_fingerprint[0] != '\0') {
for(i=0, off=0; i<20; i++) {
int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "",
- flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[i] & 0xFF);
+ flow->protos.tls_quic.sha1_certificate_fingerprint[i] & 0xFF);
if(rc <= 0) break; else off += rc;
}
@@ -2197,8 +2199,8 @@ char* ndpi_get_flow_name(struct ndpi_flow_struct *flow) {
if(flow->host_server_name[0] != '\0')
return((char*)flow->host_server_name);
- if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')
- return(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+ if(flow->protos.tls_quic.client_requested_server_name[0] != '\0')
+ return(flow->protos.tls_quic.client_requested_server_name);
no_flow_info:
return((char*)"");
diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c
index 21f052d95..d40bb5c35 100644
--- a/src/lib/protocols/dhcp.c
+++ b/src/lib/protocols/dhcp.c
@@ -61,6 +61,7 @@ static void ndpi_int_dhcp_add_connection(struct ndpi_detection_module_struct *nd
void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+ u_int8_t msg_type = 0;
NDPI_LOG_DBG(ndpi_struct, "search DHCP\n");
@@ -79,75 +80,102 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru
u_int dhcp_options_size = ndpi_min(DHCP_VEND_LEN /* maximum size of options in dhcp_packet_t */,
packet->payload_packet_len - 244);
+
+ /* Parse options in two steps (since we need first the message type and
+ it seems there is no specific order in the options list) */
+
+ /* First iteration: search for the message type */
while(i + 1 /* for the len */ < dhcp_options_size) {
- u_int8_t id = dhcp->options[i];
+ u_int8_t id = dhcp->options[i];
- if(id == 0xFF)
- break;
- else {
- /* Prevent malformed packets to cause out-of-bounds accesses */
- u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */,
+ if(id == 0xFF)
+ break;
+ else {
+ /* Prevent malformed packets to cause out-of-bounds accesses */
+ u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */,
dhcp_options_size - (i+2) /* 1 for the type and 1 for the value */);
+ if(len == 0)
+ break;
+ if(id == 53 /* DHCP Message Type */) {
+ msg_type = dhcp->options[i+2];
+
+ if(msg_type <= 8) {
+ foundValidMsgType = 1;
+ break;
+ }
+ }
+ i += len + 2;
+ }
+ }
- if(len == 0)
- break;
-
-
+ if(!foundValidMsgType) {
#ifdef DHCP_DEBUG
- NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Id=%d [len=%d]\n", id, len);
+ NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Invalid message type %d. Not dhcp\n", msg_type);
#endif
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
+ }
+
+ /* Ok, we have a valid DHCP packet -> we can write to flow->protos.dhcp */
+ NDPI_LOG_INFO(ndpi_struct, "found DHCP\n");
+ ndpi_int_dhcp_add_connection(ndpi_struct, flow);
+
+ /* Second iteration: parse the interesting options */
+ while(i + 1 /* for the len */ < dhcp_options_size) {
+ u_int8_t id = dhcp->options[i];
+
+ if(id == 0xFF)
+ break;
+ else {
+ /* Prevent malformed packets to cause out-of-bounds accesses */
+ u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */,
+ dhcp_options_size - (i+2) /* 1 for the type and 1 for the value */);
+
+ if(len == 0)
+ break;
- if(id == 53 /* DHCP Message Type */) {
- u_int8_t msg_type = dhcp->options[i+2];
+#ifdef DHCP_DEBUG
+ NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Id=%d [len=%d]\n", id, len);
+#endif
- if(msg_type <= 8) foundValidMsgType = 1;
- } else if(id == 55 /* Parameter Request List / Fingerprint */) {
- u_int idx, offset = 0;
+ if(id == 55 /* Parameter Request List / Fingerprint */) {
+ u_int idx, offset = 0;
- for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) {
- int rc = snprintf((char*)&flow->protos.dhcp.fingerprint[offset],
+ for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) {
+ int rc = snprintf((char*)&flow->protos.dhcp.fingerprint[offset],
sizeof(flow->protos.dhcp.fingerprint) - offset,
"%s%u", (idx > 0) ? "," : "",
(unsigned int)dhcp->options[i+2+idx] & 0xFF);
- if(rc < 0) break; else offset += rc;
- }
+ if(rc < 0) break; else offset += rc;
+ }
- flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0';
- } else if(id == 60 /* Class Identifier */) {
- char *name = (char*)&dhcp->options[i+2];
- int j = 0;
+ flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0';
+ } else if(id == 60 /* Class Identifier */) {
+ char *name = (char*)&dhcp->options[i+2];
+ int j = 0;
- j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1);
- strncpy((char*)flow->protos.dhcp.class_ident, name, j);
- flow->protos.dhcp.class_ident[j] = '\0';
- } else if(id == 12 /* Host Name */) {
- char *name = (char*)&dhcp->options[i+2];
- int j = 0;
+ j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1);
+ strncpy((char*)flow->protos.dhcp.class_ident, name, j);
+ flow->protos.dhcp.class_ident[j] = '\0';
+ } else if(id == 12 /* Host Name */) {
+ char *name = (char*)&dhcp->options[i+2];
+ int j = 0;
#ifdef DHCP_DEBUG
- NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len);
+ NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len);
// while(j < len) { printf( "%c", name[j]); j++; }; printf("\n");
#endif
- j = ndpi_min(len, sizeof(flow->host_server_name)-1);
- strncpy((char*)flow->host_server_name, name, j);
- flow->host_server_name[j] = '\0';
- }
+ j = ndpi_min(len, sizeof(flow->host_server_name)-1);
+ strncpy((char*)flow->host_server_name, name, j);
+ flow->host_server_name[j] = '\0';
+ }
- i += len + 2;
- }
+ i += len + 2;
+ }
}
-
- //get_u_int16_t(packet->payload, 240) == htons(0x3501)) {
-
- if(foundValidMsgType) {
- NDPI_LOG_INFO(ndpi_struct, "found DHCP\n");
- ndpi_int_dhcp_add_connection(ndpi_struct, flow);
- }
- return;
}
}
-
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
index 7b6544bb4..2b6f1396f 100644
--- a/src/lib/protocols/ftp_control.c
+++ b/src/lib/protocols/ftp_control.c
@@ -50,23 +50,23 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n
#endif
if(ndpi_match_strprefix(payload, payload_len, "USER")) {
- ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.username,
- sizeof(flow->protos.ftp_imap_pop_smtp.username), 5,
+ ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.username,
+ sizeof(flow->ftp_imap_pop_smtp.username), 5,
payload, payload_len);
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
return 1;
}
if(ndpi_match_strprefix(payload, payload_len, "PASS")) {
- ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.password,
- sizeof(flow->protos.ftp_imap_pop_smtp.password), 5,
+ ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.password,
+ sizeof(flow->ftp_imap_pop_smtp.password), 5,
payload, payload_len);
return 1;
}
if(ndpi_match_strprefix(payload, payload_len, "AUTH") ||
ndpi_match_strprefix(payload, payload_len, "auth")) {
- flow->protos.ftp_imap_pop_smtp.auth_found = 1;
+ flow->ftp_imap_pop_smtp.auth_found = 1;
return 1;
}
/* ***************************************************** */
@@ -562,14 +562,14 @@ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow,
case '2':
case '3':
case '6':
- if(flow->protos.ftp_imap_pop_smtp.auth_found == 1)
- flow->protos.ftp_imap_pop_smtp.auth_tls = 1;
+ if(flow->ftp_imap_pop_smtp.auth_found == 1)
+ flow->ftp_imap_pop_smtp.auth_tls = 1;
return(1);
break;
case '4':
case '5':
- flow->protos.ftp_imap_pop_smtp.auth_failed = 1;
+ flow->ftp_imap_pop_smtp.auth_failed = 1;
return(1);
break;
}
@@ -632,11 +632,11 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str
#ifdef FTP_DEBUG
printf("%s() [user: %s][pwd: %s]\n", __FUNCTION__,
- flow->protos.ftp_imap_pop_smtp.username, flow->protos.ftp_imap_pop_smtp.password);
+ flow->ftp_imap_pop_smtp.username, flow->ftp_imap_pop_smtp.password);
#endif
- if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0' &&
- flow->protos.ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */
+ if(flow->ftp_imap_pop_smtp.password[0] == '\0' &&
+ flow->ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */
flow->ftp_control_stage = 0;
else
ndpi_int_ftp_control_add_connection(ndpi_struct, flow);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 932b0f451..cef8b3cfc 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -574,9 +574,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
if(packet->forwarded_line.ptr) {
- len = ndpi_min(packet->forwarded_line.len, sizeof(flow->protos.http.nat_ip)-1);
- strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len);
- flow->protos.http.nat_ip[len] = '\0';
+ len = ndpi_min(packet->forwarded_line.len, sizeof(flow->http.nat_ip)-1);
+ strncpy((char*)flow->http.nat_ip, (char*)packet->forwarded_line.ptr, len);
+ flow->http.nat_ip[len] = '\0';
}
ndpi_http_parse_subprotocol(ndpi_struct, flow);
diff --git a/src/lib/protocols/imo.c b/src/lib/protocols/imo.c
index 2784e7143..fab99d301 100644
--- a/src/lib/protocols/imo.c
+++ b/src/lib/protocols/imo.c
@@ -39,11 +39,11 @@ void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct nd
if(packet->payload_packet_len == 1) {
/* Two one byte consecutive packets with the same payload */
- if((flow->protos.imo.last_one_byte_pkt == 1)
- && (flow->protos.imo.last_byte == packet->payload[0]))
+ if((flow->l4.udp.imo_last_one_byte_pkt == 1)
+ && (flow->l4.udp.imo_last_byte == packet->payload[0]))
ndpi_int_imo_add_connection(ndpi_struct, flow);
else
- flow->protos.imo.last_one_byte_pkt = 1, flow->protos.imo.last_byte = packet->payload[0];
+ flow->l4.udp.imo_last_one_byte_pkt = 1, flow->l4.udp.imo_last_byte = packet->payload[0];
} else if(((packet->payload_packet_len == 10)
&& (packet->payload[0] == 0x09)
&& (packet->payload[1] == 0x02))
@@ -62,7 +62,7 @@ void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct nd
if(flow->num_processed_pkts > 5)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
else
- flow->protos.imo.last_one_byte_pkt = 0;
+ flow->l4.udp.imo_last_one_byte_pkt = 0;
}
}
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
index 1f242ac46..7702a8e07 100644
--- a/src/lib/protocols/kerberos.c
+++ b/src/lib/protocols/kerberos.c
@@ -32,6 +32,10 @@
#define KERBEROS_PORT 88
+static int ndpi_search_kerberos_extra(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow);
+
+
static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN);
@@ -158,6 +162,9 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef KERBEROS_DEBUG
printf("[Kerberos] Packet found 0x%02X/%u\n", msg_type, msg_type);
#endif
+
+ ndpi_int_kerberos_add_connection(ndpi_struct, flow);
+
if(msg_type != 0x0d) /* TGS-REP */ {
/* Process only on requests */
if(packet->payload[koffset+1] == 0xA3) {
@@ -309,6 +316,19 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
}
}
}
+#ifdef KERBEROS_DEBUG
+ printf("[Kerberos] Setting extra func from AS-REQ\n");
+#endif
+ flow->check_extra_packets = 1;
+ flow->max_extra_packets_to_check = 5; /* Reply may be split into multiple segments */
+ flow->extra_packets_func = ndpi_search_kerberos_extra;
+ } else if(msg_type == 0x0e) /* AS-REQ */ {
+#ifdef KERBEROS_DEBUG
+ printf("[Kerberos] Processing AS-REQ\n");
+#endif
+ /* Nothing specific to do; stop dissecting this flow */
+ flow->extra_packets_func = NULL;
+
} else if(msg_type == 0x0c) /* TGS-REQ */ {
#ifdef KERBEROS_DEBUG
printf("[Kerberos] Processing TGS-REQ\n");
@@ -357,18 +377,22 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
}
}
}
+#ifdef KERBEROS_DEBUG
+ printf("[Kerberos] Setting extra func from TGS-REQ\n");
+#endif
+ if(!packet->udp) {
+ flow->check_extra_packets = 1;
+ flow->max_extra_packets_to_check = 5; /* Reply may be split into multiple segments */
+ flow->extra_packets_func = ndpi_search_kerberos_extra;
+ }
- if(packet->udp)
- ndpi_int_kerberos_add_connection(ndpi_struct, flow);
-
- /* We set the protocol in the response */
if(flow->kerberos_buf.pktbuf != NULL) {
ndpi_free(flow->kerberos_buf.pktbuf);
packet->payload = original_packet_payload;
packet->payload_packet_len = original_payload_packet_len;
flow->kerberos_buf.pktbuf = NULL;
}
-
+
return;
} else if(msg_type == 0x0d) /* TGS-REP */ {
u_int16_t pad_data_len, cname_offset;
@@ -403,24 +427,20 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
if(cname_len && cname_str[cname_len-1] == '$') {
cname_str[cname_len-1] = '\0';
snprintf(flow->protos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname), "%s", cname_str);
- } else
+ } else {
snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str);
+ }
- ndpi_int_kerberos_add_connection(ndpi_struct, flow);
+#ifdef KERBEROS_DEBUG
+ printf("[TGS-REP] Found everything. disabling extra func\n");
+#endif
+ flow->extra_packets_func = NULL;
}
}
}
return;
}
-
- if(packet->payload_packet_len > 21 &&
- packet->payload[16] == 0x05 &&
- (packet->payload[21] == 0x0a ||
- packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) {
- ndpi_int_kerberos_add_connection(ndpi_struct, flow);
- return;
- }
}
}
} else {
@@ -437,6 +457,27 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
+static int ndpi_search_kerberos_extra(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow)
+{
+ struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+
+#ifdef KERBEROS_DEBUG
+ printf("[Kerberos] Extra function\n");
+#endif
+
+ /* Unfortunately, generic "extra function" code doesn't honour protocol bitmask */
+ /* TODO: handle that in ndpi_main.c for all the protocols */
+ if(packet->payload_packet_len == 0 ||
+ packet->tcp_retransmission)
+ return 1;
+
+ /* Possibly dissect the reply */
+ ndpi_search_kerberos(ndpi_struct, flow);
+
+ /* Possibly more processing */
+ return 1;
+}
void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index b3c087ea2..8a4e8fa2e 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -177,16 +177,16 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
if(user) {
char *pwd;
- snprintf(flow->protos.ftp_imap_pop_smtp.username,
- sizeof(flow->protos.ftp_imap_pop_smtp.username),
+ snprintf(flow->ftp_imap_pop_smtp.username,
+ sizeof(flow->ftp_imap_pop_smtp.username),
"%s", user);
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
pwd = strtok_r(NULL, " \"\r\n", &saveptr);
if(pwd) {
- snprintf(flow->protos.ftp_imap_pop_smtp.password,
- sizeof(flow->protos.ftp_imap_pop_smtp.password),
+ snprintf(flow->ftp_imap_pop_smtp.password,
+ sizeof(flow->ftp_imap_pop_smtp.password),
"%s", pwd);
}
}
@@ -320,7 +320,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
|| (flow->l4.tcp.mail_imap_stage == 5)
|| (flow->l4.tcp.mail_imap_stage == 7)
) {
- if((flow->protos.ftp_imap_pop_smtp.username[0] != '\0')
+ if((flow->ftp_imap_pop_smtp.username[0] != '\0')
|| (flow->l4.tcp.mail_imap_stage >= 7)) {
NDPI_LOG_INFO(ndpi_struct, "found MAIL_IMAP\n");
ndpi_int_mail_imap_add_connection(ndpi_struct, flow);
diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c
index c51192b44..483c4da35 100644
--- a/src/lib/protocols/mail_pop.c
+++ b/src/lib/protocols/mail_pop.c
@@ -77,8 +77,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
&& (packet->payload[1] == 'S' || packet->payload[1] == 's')
&& (packet->payload[2] == 'E' || packet->payload[2] == 'e')
&& (packet->payload[3] == 'R' || packet->payload[3] == 'r')) {
- ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.username,
- sizeof(flow->protos.ftp_imap_pop_smtp.username), 5,
+ ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.username,
+ sizeof(flow->ftp_imap_pop_smtp.username), 5,
packet->payload, packet->payload_packet_len);
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
@@ -88,8 +88,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
&& (packet->payload[1] == 'A' || packet->payload[1] == 'a')
&& (packet->payload[2] == 'S' || packet->payload[2] == 's')
&& (packet->payload[3] == 'S' || packet->payload[3] == 's')) {
- ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.password,
- sizeof(flow->protos.ftp_imap_pop_smtp.password), 5,
+ ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.password,
+ sizeof(flow->ftp_imap_pop_smtp.password), 5,
packet->payload, packet->payload_packet_len);
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
@@ -182,7 +182,7 @@ void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct
if(flow->l4.tcp.mail_pop_stage > 0) {
NDPI_LOG_INFO(ndpi_struct, "mail_pop identified\n");
- if((flow->protos.ftp_imap_pop_smtp.password[0] != '\0')
+ if((flow->ftp_imap_pop_smtp.password[0] != '\0')
|| (flow->l4.tcp.mail_pop_stage > 3)) {
ndpi_int_mail_pop_add_connection(ndpi_struct, flow);
popInitExtraPacketProcessing(flow);
@@ -222,7 +222,7 @@ int ndpi_extra_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_str
ndpi_search_mail_pop_tcp(ndpi_struct, flow);
- rc = (flow->protos.ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
+ rc = (flow->ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
#ifdef POP_DEBUG
printf("**** %s() [rc: %d]\n", __FUNCTION__, rc);
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index 551f67886..31310202b 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -93,19 +93,19 @@ static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi
user_len = i - 1;
}
if(user_len > 0) {
- user_len = ndpi_min(user_len, sizeof(flow->protos.ftp_imap_pop_smtp.username) - 1);
+ user_len = ndpi_min(user_len, sizeof(flow->ftp_imap_pop_smtp.username) - 1);
- memcpy(flow->protos.ftp_imap_pop_smtp.username, out + 1, user_len);
- flow->protos.ftp_imap_pop_smtp.username[user_len] = '\0';
+ memcpy(flow->ftp_imap_pop_smtp.username, out + 1, user_len);
+ flow->ftp_imap_pop_smtp.username[user_len] = '\0';
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
if(1 + user_len + 1 < out_len) {
unsigned int pwd_len;
- pwd_len = ndpi_min(out_len - (1 + user_len + 1), sizeof(flow->protos.ftp_imap_pop_smtp.password) - 1);
- memcpy(flow->protos.ftp_imap_pop_smtp.password, out + 1 + user_len + 1, pwd_len);
- flow->protos.ftp_imap_pop_smtp.password[pwd_len] = '\0';
+ pwd_len = ndpi_min(out_len - (1 + user_len + 1), sizeof(flow->ftp_imap_pop_smtp.password) - 1);
+ memcpy(flow->ftp_imap_pop_smtp.password, out + 1 + user_len + 1, pwd_len);
+ flow->ftp_imap_pop_smtp.password[pwd_len] = '\0';
}
}
ndpi_free(out);
@@ -183,25 +183,25 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->line[a].ptr[3] == 'O' || packet->line[a].ptr[3] == 'o')
&& packet->line[a].ptr[4] == ' ') {
flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_HELO_EHLO;
- flow->protos.ftp_imap_pop_smtp.auth_found = 0;
+ flow->ftp_imap_pop_smtp.auth_found = 0;
} else if((packet->line[a].ptr[0] == 'M' || packet->line[a].ptr[0] == 'm')
&& (packet->line[a].ptr[1] == 'A' || packet->line[a].ptr[1] == 'a')
&& (packet->line[a].ptr[2] == 'I' || packet->line[a].ptr[2] == 'i')
&& (packet->line[a].ptr[3] == 'L' || packet->line[a].ptr[3] == 'l')
&& packet->line[a].ptr[4] == ' ') {
flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_MAIL;
- flow->protos.ftp_imap_pop_smtp.auth_found = 0;
+ flow->ftp_imap_pop_smtp.auth_found = 0;
/* We shouldn't be here if there are credentials */
- flow->protos.ftp_imap_pop_smtp.auth_done = 1;
+ flow->ftp_imap_pop_smtp.auth_done = 1;
} else if((packet->line[a].ptr[0] == 'R' || packet->line[a].ptr[0] == 'r')
&& (packet->line[a].ptr[1] == 'C' || packet->line[a].ptr[1] == 'c')
&& (packet->line[a].ptr[2] == 'P' || packet->line[a].ptr[2] == 'p')
&& (packet->line[a].ptr[3] == 'T' || packet->line[a].ptr[3] == 't')
&& packet->line[a].ptr[4] == ' ') {
flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_RCPT;
- flow->protos.ftp_imap_pop_smtp.auth_found = 0;
+ flow->ftp_imap_pop_smtp.auth_found = 0;
/* We shouldn't be here if there are credentials */
- flow->protos.ftp_imap_pop_smtp.auth_done = 1;
+ flow->ftp_imap_pop_smtp.auth_done = 1;
} else if((packet->line[a].ptr[0] == 'A' || packet->line[a].ptr[0] == 'a')
&& (packet->line[a].ptr[1] == 'U' || packet->line[a].ptr[1] == 'u')
&& (packet->line[a].ptr[2] == 'T' || packet->line[a].ptr[2] == 't')
@@ -210,7 +210,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef SMTP_DEBUG
printf("%s() AUTH [%.*s]\n", __FUNCTION__, packet->line[a].len, packet->line[a].ptr);
#endif
- flow->protos.ftp_imap_pop_smtp.auth_found = 1;
+ flow->ftp_imap_pop_smtp.auth_found = 1;
if(packet->line[a].len >= 6) {
if(packet->line[a].ptr[5] == 'L' || packet->line[a].ptr[5] == 'l') {
flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_LOGIN;
@@ -220,7 +220,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
/* AUTH PLAIN: username and pwd here */
get_credentials_auth_plain(ndpi_struct, flow,
packet->line[a].ptr, packet->line[a].len);
- flow->protos.ftp_imap_pop_smtp.auth_done = 1;
+ flow->ftp_imap_pop_smtp.auth_done = 1;
}
}
} else {
@@ -229,9 +229,9 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
printf("%s() => [%.*s]\n", __FUNCTION__, packet->line[a].len, packet->line[a].ptr);
#endif
- if(flow->protos.ftp_imap_pop_smtp.auth_found &&
+ if(flow->ftp_imap_pop_smtp.auth_found &&
(flow->l4.tcp.smtp_command_bitmask & SMTP_BIT_AUTH_LOGIN)) {
- if(flow->protos.ftp_imap_pop_smtp.username[0] == '\0') {
+ if(flow->ftp_imap_pop_smtp.username[0] == '\0') {
/* Username */
u_int8_t buf[48];
u_char *out;
@@ -241,22 +241,22 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
packet->line[a].ptr, packet->line[a].len);
#ifdef SMTP_DEBUG
- printf("%s() => [auth: %u] (username) [%s]\n", __FUNCTION__, flow->protos.ftp_imap_pop_smtp.auth_found, buf);
+ printf("%s() => [auth: %u] (username) [%s]\n", __FUNCTION__, flow->ftp_imap_pop_smtp.auth_found, buf);
#endif
out = ndpi_base64_decode((const u_char*)buf, (size_t)strlen((const char*)buf), &out_len);
if(out) {
- size_t len = ndpi_min(out_len, sizeof(flow->protos.ftp_imap_pop_smtp.username) - 1);
+ size_t len = ndpi_min(out_len, sizeof(flow->ftp_imap_pop_smtp.username) - 1);
- memcpy(flow->protos.ftp_imap_pop_smtp.username, out, len);
- flow->protos.ftp_imap_pop_smtp.username[len] = '\0';
+ memcpy(flow->ftp_imap_pop_smtp.username, out, len);
+ flow->ftp_imap_pop_smtp.username[len] = '\0';
ndpi_free(out);
}
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
- } else if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0') {
+ } else if(flow->ftp_imap_pop_smtp.password[0] == '\0') {
/* Password */
u_int8_t buf[48];
u_char *out;
@@ -266,23 +266,23 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
packet->line[a].ptr, packet->line[a].len);
#ifdef SMTP_DEBUG
- printf("%s() => [auth: %u] (password) [%s]\n", __FUNCTION__, flow->protos.ftp_imap_pop_smtp.auth_found, buf);
+ printf("%s() => [auth: %u] (password) [%s]\n", __FUNCTION__, flow->ftp_imap_pop_smtp.auth_found, buf);
#endif
out = ndpi_base64_decode((const u_char*)buf, (size_t)strlen((const char*)buf), &out_len);
if(out) {
- size_t len = ndpi_min(out_len, sizeof(flow->protos.ftp_imap_pop_smtp.password) - 1);
+ size_t len = ndpi_min(out_len, sizeof(flow->ftp_imap_pop_smtp.password) - 1);
- memcpy(flow->protos.ftp_imap_pop_smtp.password, out, len);
- flow->protos.ftp_imap_pop_smtp.password[len] = '\0';
+ memcpy(flow->ftp_imap_pop_smtp.password, out, len);
+ flow->ftp_imap_pop_smtp.password[len] = '\0';
ndpi_free(out);
}
ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
- flow->protos.ftp_imap_pop_smtp.auth_done = 1;
+ flow->ftp_imap_pop_smtp.auth_done = 1;
} else {
flow->host_server_name[0] = '\0';
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
@@ -303,8 +303,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[6] == 'l')
&& (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[7] == 's')) {
flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS;
- flow->protos.ftp_imap_pop_smtp.auth_tls = 1;
- flow->protos.ftp_imap_pop_smtp.auth_done = 1;
+ flow->ftp_imap_pop_smtp.auth_tls = 1;
+ flow->ftp_imap_pop_smtp.auth_done = 1;
}
}
@@ -342,7 +342,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef SMTP_DEBUG
printf("%s() [bit_count: %u][%s]\n", __FUNCTION__,
- bit_count, flow->protos.ftp_imap_pop_smtp.password);
+ bit_count, flow->ftp_imap_pop_smtp.password);
#endif
/* Only if we don't have already set the protocol via hostname matching */
@@ -380,7 +380,7 @@ int ndpi_extra_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_st
ndpi_search_mail_smtp_tcp(ndpi_struct, flow);
- rc = (flow->protos.ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
+ rc = (flow->ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
#ifdef SMTP_DEBUG
printf("**** %s() [rc: %d]\n", __FUNCTION__, rc);
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 206c3b951..f908dc58c 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1297,7 +1297,7 @@ static void process_tls(struct ndpi_detection_module_struct *ndpi_struct,
packet->payload_packet_len = crypto_data_len;
processClientServerHello(ndpi_struct, flow, version);
- flow->protos.tls_quic_stun.tls_quic.hello_processed = 1; /* Allow matching of custom categories */
+ flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */
/* Restore */
packet->payload = p;
@@ -1307,12 +1307,12 @@ static void process_tls(struct ndpi_detection_module_struct *ndpi_struct,
this way we lose JA3S and negotiated ciphers...
Negotiated version is only present in the ServerHello message too, but
fortunately, QUIC always uses TLS version 1.3 */
- flow->protos.tls_quic_stun.tls_quic.ssl_version = 0x0304;
+ flow->protos.tls_quic.ssl_version = 0x0304;
/* DNS-over-QUIC: ALPN is "doq" or "doq-XXX" (for drafts versions) */
- if(flow->protos.tls_quic_stun.tls_quic.alpn &&
- strncmp(flow->protos.tls_quic_stun.tls_quic.alpn, "doq", 3) == 0) {
- NDPI_LOG_DBG(ndpi_struct, "Found DOQ (ALPN: [%s])\n", flow->protos.tls_quic_stun.tls_quic.alpn);
+ if(flow->protos.tls_quic.alpn &&
+ strncmp(flow->protos.tls_quic.alpn, "doq", 3) == 0) {
+ NDPI_LOG_DBG(ndpi_struct, "Found DOQ (ALPN: [%s])\n", flow->protos.tls_quic.alpn);
ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_QUIC);
}
}
@@ -1356,22 +1356,22 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
crypto_data_len, tag_offset_start, prev_offset, offset, len);
#endif
if(memcmp(tag, "SNI\0", 4) == 0) {
- sni_len = MIN(len, sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name) - 1);
- memcpy(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
+ sni_len = MIN(len, sizeof(flow->protos.tls_quic.client_requested_server_name) - 1);
+ memcpy(flow->protos.tls_quic.client_requested_server_name,
&crypto_data[tag_offset_start + prev_offset], sni_len);
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[sni_len] = '\0';
+ flow->protos.tls_quic.client_requested_server_name[sni_len] = '\0';
NDPI_LOG_DBG2(ndpi_struct, "SNI: [%s]\n",
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+ flow->protos.tls_quic.client_requested_server_name);
ndpi_match_host_subprotocol(ndpi_struct, flow,
- (char *)flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
- strlen((const char*)flow->protos.tls_quic_stun.tls_quic.client_requested_server_name),
+ (char *)flow->protos.tls_quic.client_requested_server_name,
+ strlen((const char*)flow->protos.tls_quic.client_requested_server_name),
&ret_match, NDPI_PROTOCOL_QUIC);
- flow->protos.tls_quic_stun.tls_quic.hello_processed = 1; /* Allow matching of custom categories */
+ flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */
ndpi_check_dga_name(ndpi_struct, flow,
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1);
+ flow->protos.tls_quic.client_requested_server_name, 1);
sni_found = 1;
if (ua_found)
@@ -1396,7 +1396,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG(ndpi_struct, "Something went wrong in tags iteration\n");
/* Add check for missing SNI */
- if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') {
+ if(flow->protos.tls_quic.client_requested_server_name[0] == '\0') {
/* This is a bit suspicious */
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
}
@@ -1508,7 +1508,7 @@ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struc
*/
if((version == V_Q046 &&
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') ||
+ flow->protos.tls_quic.client_requested_server_name[0] == '\0') ||
is_ch_reassembler_pending(flow)) {
NDPI_LOG_DBG2(ndpi_struct, "We have further work to do\n");
return 1;
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index 24f92afe2..2d5ad5981 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -84,7 +84,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
if((payload_len < 2)
|| (d_port == 5355 /* LLMNR_PORT */)
|| (d_port == 5353 /* MDNS_PORT */)
- || flow->protos.tls_quic_stun.stun.num_binding_requests
+ || flow->stun.num_binding_requests
) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index e1d8f11c8..f0884fae3 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -164,7 +164,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
} else if(payload_length < sizeof(struct stun_packet_header)) {
/* This looks like an invalid packet */
- if(flow->protos.tls_quic_stun.stun.num_udp_pkts > 0) {
+ if(flow->stun.num_udp_pkts > 0) {
// flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN);
} else
@@ -260,7 +260,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
if(msg_type == 0x01 /* Binding Request */) {
- flow->protos.tls_quic_stun.stun.num_binding_requests++;
+ flow->stun.num_binding_requests++;
if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
@@ -268,7 +268,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
if(!msg_len) {
- /* flow->protos.tls_quic_stun.stun.num_udp_pkts++; */
+ /* flow->stun.num_udp_pkts++; */
return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */
}
}
@@ -278,13 +278,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN);
}
- flow->protos.tls_quic_stun.stun.num_udp_pkts++;
+ flow->stun.num_udp_pkts++;
if((payload[0] == 0x80 && payload_length < 512 && ((msg_len+20) <= payload_length))) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
} else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) ||
- (flow->protos.tls_quic_stun.stun.num_binding_requests >= 4))) {
+ (flow->stun.num_binding_requests >= 4))) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
}
@@ -462,14 +462,14 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
}
- if((flow->protos.tls_quic_stun.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
+ if((flow->stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN);
} else
return(NDPI_IS_NOT_STUN);
udp_stun_found:
- flow->protos.tls_quic_stun.stun.num_processed_pkts++;
+ flow->stun.num_processed_pkts++;
#ifdef DEBUG_STUN
printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n");
@@ -480,7 +480,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
- rc = (flow->protos.tls_quic_stun.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
+ rc = (flow->stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
return rc;
}
@@ -532,7 +532,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
- if(flow->protos.tls_quic_stun.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
+ if(flow->stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
if(flow->packet_counter > 0) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 5b2941405..d912ae947 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -391,8 +391,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf);
#endif
- if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.issuerDN == NULL)) {
- flow->protos.tls_quic_stun.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
+ if(rdn_len && (flow->protos.tls_quic.issuerDN == NULL)) {
+ flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
if (ndpi_is_printable_string(rdnSeqBuf, rdn_len) == 0) {
ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
}
@@ -421,10 +421,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* 141021000000Z */
if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
- flow->protos.tls_quic_stun.tls_quic.notBefore = timegm(&utc);
+ flow->protos.tls_quic.notBefore = timegm(&utc);
#ifdef DEBUG_TLS
printf("[CERTIFICATE] notBefore %u [%s]\n",
- flow->protos.tls_quic_stun.tls_quic.notBefore, utcDate);
+ flow->protos.tls_quic.notBefore, utcDate);
#endif
}
}
@@ -455,20 +455,20 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* 141021000000Z */
if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
- flow->protos.tls_quic_stun.tls_quic.notAfter = timegm(&utc);
+ flow->protos.tls_quic.notAfter = timegm(&utc);
#ifdef DEBUG_TLS
printf("[CERTIFICATE] notAfter %u [%s]\n",
- flow->protos.tls_quic_stun.tls_quic.notAfter, utcDate);
+ flow->protos.tls_quic.notAfter, utcDate);
#endif
}
}
- if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE)
- if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
+ if (flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE)
+ if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD)
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
- if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
- || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
+ if((time_sec < flow->protos.tls_quic.notBefore)
+ || (time_sec > flow->protos.tls_quic.notAfter))
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
}
}
@@ -478,7 +478,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
u_int8_t matched_name = 0;
/* If the client hello was not observed or the requested name was missing, there is no need to trigger an alert */
- if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
+ if(flow->protos.tls_quic.client_requested_server_name[0] == '\0')
matched_name = 1;
#ifdef DEBUG_TLS
@@ -520,7 +520,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
#if DEBUG_TLS
printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName,
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, len,
+ flow->protos.tls_quic.client_requested_server_name, len,
packet->payload_packet_len-i-len);
#endif
if (ndpi_is_printable_string(dNSName, len) == 0) {
@@ -530,19 +530,19 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
if(matched_name == 0) {
#if DEBUG_TLS
printf("[TLS] Trying to match '%s' with '%s'\n",
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
+ flow->protos.tls_quic.client_requested_server_name,
dNSName);
#endif
- if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
+ if(flow->protos.tls_quic.client_requested_server_name[0] == '\0')
matched_name = 1; /* No SNI */
else if (dNSName[0] == '*')
{
- char * label = strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]);
+ char * label = strstr(flow->protos.tls_quic.client_requested_server_name, &dNSName[1]);
if (label != NULL)
{
- char * first_dot = strchr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, '.');
+ char * first_dot = strchr(flow->protos.tls_quic.client_requested_server_name, '.');
if (first_dot == NULL || first_dot >= label)
{
@@ -550,33 +550,33 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
}
}
- else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0) {
+ else if(strcmp(flow->protos.tls_quic.client_requested_server_name, dNSName) == 0) {
matched_name = 1;
}
}
- if(flow->protos.tls_quic_stun.tls_quic.server_names == NULL)
- flow->protos.tls_quic_stun.tls_quic.server_names = ndpi_strdup(dNSName),
- flow->protos.tls_quic_stun.tls_quic.server_names_len = strlen(dNSName);
+ if(flow->protos.tls_quic.server_names == NULL)
+ flow->protos.tls_quic.server_names = ndpi_strdup(dNSName),
+ flow->protos.tls_quic.server_names_len = strlen(dNSName);
else {
u_int16_t dNSName_len = strlen(dNSName);
- u_int16_t newstr_len = flow->protos.tls_quic_stun.tls_quic.server_names_len + dNSName_len + 1;
- char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic_stun.tls_quic.server_names,
- flow->protos.tls_quic_stun.tls_quic.server_names_len+1, newstr_len+1);
+ u_int16_t newstr_len = flow->protos.tls_quic.server_names_len + dNSName_len + 1;
+ char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic.server_names,
+ flow->protos.tls_quic.server_names_len+1, newstr_len+1);
if(newstr) {
- flow->protos.tls_quic_stun.tls_quic.server_names = newstr;
- flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len] = ',';
- strncpy(&flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len+1],
+ flow->protos.tls_quic.server_names = newstr;
+ flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len] = ',';
+ strncpy(&flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len+1],
dNSName, dNSName_len+1);
- flow->protos.tls_quic_stun.tls_quic.server_names[newstr_len] = '\0';
- flow->protos.tls_quic_stun.tls_quic.server_names_len = newstr_len;
+ flow->protos.tls_quic.server_names[newstr_len] = '\0';
+ flow->protos.tls_quic.server_names_len = newstr_len;
}
}
- if(!flow->protos.tls_quic_stun.tls_quic.subprotocol_detected)
+ if(!flow->protos.tls_quic.subprotocol_detected)
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, len))
- flow->protos.tls_quic_stun.tls_quic.subprotocol_detected = 1;
+ flow->protos.tls_quic.subprotocol_detected = 1;
i += len;
} else {
@@ -599,8 +599,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
} /* for */
- if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.subjectDN == NULL)) {
- flow->protos.tls_quic_stun.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
+ if(rdn_len && (flow->protos.tls_quic.subjectDN == NULL)) {
+ flow->protos.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
/* No idea what is happening behind the scenes: let's check the certificate */
@@ -631,8 +631,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
}
- if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
- && (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
+ if(flow->protos.tls_quic.subjectDN && flow->protos.tls_quic.issuerDN
+ && (!strcmp(flow->protos.tls_quic.subjectDN, flow->protos.tls_quic.issuerDN)))
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE);
#if DEBUG_TLS
@@ -721,12 +721,12 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
&packet->payload[certificates_offset],
certificate_len);
- SHA1Final(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
+ SHA1Final(flow->protos.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
flow->l4.tcp.tls.fingerprint_set = 1;
- uint8_t * sha1 = flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint;
- const size_t sha1_siz = sizeof(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint);
+ uint8_t * sha1 = flow->protos.tls_quic.sha1_certificate_fingerprint;
+ const size_t sha1_siz = sizeof(flow->protos.tls_quic.sha1_certificate_fingerprint);
char sha1_str[20 /* sha1_siz */ * 2 + 1];
static const char hexalnum[] = "0123456789ABCDEF";
size_t i;
@@ -774,7 +774,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
int ret;
-#ifdef DEBUG_TL
+#ifdef DEBUG_TLS
printf("[TLS] Processing block %u\n", packet->payload[0]);
#endif
@@ -782,16 +782,16 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
case 0x01: /* Client Hello */
case 0x02: /* Server Hello */
processClientServerHello(ndpi_struct, flow, 0);
- flow->protos.tls_quic_stun.tls_quic.hello_processed = 1;
+ flow->protos.tls_quic.hello_processed = 1;
ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
#ifdef DEBUG_TLS
printf("*** TLS [version: %02X][%s Hello]\n",
- flow->protos.tls_quic_stun.tls_quic.ssl_version,
+ flow->protos.tls_quic.ssl_version,
(packet->payload[0] == 0x01) ? "Client" : "Server");
#endif
- if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
+ if((flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
&& (packet->payload[0] == 0x02 /* Server Hello */)) {
flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
}
@@ -802,7 +802,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
case 0x0b: /* Certificate */
/* Important: populate the tls union fields only after
* ndpi_int_tls_add_connection has been called */
- if(flow->protos.tls_quic_stun.tls_quic.hello_processed) {
+ if(flow->protos.tls_quic.hello_processed) {
ret = processCertificate(ndpi_struct, flow);
if (ret != 1) {
#ifdef DEBUG_TLS
@@ -1106,7 +1106,7 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd
static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
- char * alpn_start = flow->protos.tls_quic_stun.tls_quic.alpn;
+ char * alpn_start = flow->protos.tls_quic.alpn;
char * comma_or_nul = alpn_start;
do {
int alpn_len;
@@ -1310,10 +1310,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
return(0); /* Not found */
ja3.server.num_cipher = 1, ja3.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
- if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1)
+ if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1)
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER);
- flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.server.cipher[0];
+ flow->protos.tls_quic.server_cipher = ja3.server.cipher[0];
#ifdef DEBUG_TLS
printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.server.cipher[0]);
@@ -1360,7 +1360,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("TLS [server] [TLS version: 0x%04X]\n", tls_version);
#endif
- flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.server.tls_supported_version = tls_version;
+ flow->protos.tls_quic.ssl_version = ja3.server.tls_supported_version = tls_version;
}
} else if(extension_id == 16 /* application_layer_protocol_negotiation (ALPN) */ &&
offset + 6 < packet->payload_packet_len) {
@@ -1416,10 +1416,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if (ndpi_is_printable_string(alpn_str, alpn_str_len) == 0)
ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
- if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
- flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
+ if(flow->protos.tls_quic.alpn == NULL)
+ flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str);
- if(flow->protos.tls_quic_stun.tls_quic.alpn != NULL)
+ if(flow->protos.tls_quic.alpn != NULL)
tlsCheckUncommonALPN(ndpi_struct, flow);
snprintf(ja3.server.alpn, sizeof(ja3.server.alpn), "%s", alpn_str);
@@ -1508,13 +1508,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++) {
- int rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_server[j],
- sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_server)-j, "%02x", md5_hash[i]);
+ int rc = snprintf(&flow->protos.tls_quic.ja3_server[j],
+ sizeof(flow->protos.tls_quic.ja3_server)-j, "%02x", md5_hash[i]);
if(rc <= 0) break; else j += rc;
}
#ifdef DEBUG_TLS
- printf("[JA3] Server: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_server);
+ printf("[JA3] Server: %s \n", flow->protos.tls_quic.ja3_server);
#endif
} else if(handshake_type == 0x01 /* Client Hello */) {
u_int16_t cipher_len, cipher_offset;
@@ -1528,8 +1528,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ja3.client.supported_versions[0] = '\0';
ja3.client.alpn[0] = '\0';
- flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
- if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */
+ flow->protos.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
+ if(flow->protos.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION);
if((session_id_len+base_offset+3) > packet->payload_packet_len)
@@ -1629,19 +1629,19 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
this is time consuming and we want to avoid overhead whem possible
*/
if(this_is_not_safari)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
+ flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0;
else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur))
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1;
+ flow->protos.tls_quic.browser_heuristics.is_safari_tls = 1;
if(chrome_ciphers == 13)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 1;
+ flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 1;
/* Note that both Safari and Chrome can overlap */
#ifdef DEBUG_HEURISTIC
printf("[CIPHERS] [is_chrome_tls: %u (%u)][is_safari_tls: %u (%u)][this_is_not_safari: %u]\n",
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls,
+ flow->protos.tls_quic.browser_heuristics.is_chrome_tls,
chrome_ciphers,
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls,
+ flow->protos.tls_quic.browser_heuristics.is_safari_tls,
safari_ciphers,
this_is_not_safari);
#endif
@@ -1729,8 +1729,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
cleanupServerName(buffer, sizeof(buffer));
- snprintf(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
- sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name),
+ snprintf(flow->protos.tls_quic.client_requested_server_name,
+ sizeof(flow->protos.tls_quic.client_requested_server_name),
"%s", buffer);
#ifdef DEBUG_TLS
printf("[TLS] SNI: [%s]\n", buffer);
@@ -1742,19 +1742,19 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if(!is_quic) {
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer)))
- flow->protos.tls_quic_stun.tls_quic.subprotocol_detected = 1;
+ flow->protos.tls_quic.subprotocol_detected = 1;
} else {
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, buffer, strlen(buffer)))
- flow->protos.tls_quic_stun.tls_quic.subprotocol_detected = 1;
+ flow->protos.tls_quic.subprotocol_detected = 1;
}
if(ndpi_check_dga_name(ndpi_struct, flow,
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1)) {
- char *sni = flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
+ flow->protos.tls_quic.client_requested_server_name, 1)) {
+ char *sni = flow->protos.tls_quic.client_requested_server_name;
int len = strlen(sni);
#ifdef DEBUG_TLS
- printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+ printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name);
#endif
if((len >= 4)
@@ -1764,7 +1764,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS);
} else {
#ifdef DEBUG_TLS
- printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+ printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name);
#endif
}
} else {
@@ -1849,10 +1849,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
tot_signature_algorithms_len = ndpi_min((sizeof(ja3.client.signature_algorithms) / 2) - 1, tot_signature_algorithms_len);
#ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
- flow->protos.tls_quic_stun.tls_quic.num_tls_signature_algorithms = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
+ flow->protos.tls_quic.num_tls_signature_algorithms = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
- memcpy(flow->protos.tls_quic_stun.tls_quic.client_signature_algorithms,
- &packet->payload[s_offset], 2 /* 16 bit */*flow->protos.tls_quic_stun.tls_quic.num_tls_signature_algorithms);
+ memcpy(flow->protos.tls_quic.client_signature_algorithms,
+ &packet->payload[s_offset], 2 /* 16 bit */*flow->protos.tls_quic.num_tls_signature_algorithms);
#endif
for(i=0; i<tot_signature_algorithms_len && s_offset+i<total_len; i++) {
@@ -1899,7 +1899,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#endif
switch(signature_algo) {
case ECDSA_SECP521R1_SHA512:
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls = 1;
+ flow->protos.tls_quic.browser_heuristics.is_firefox_tls = 1;
break;
case ECDSA_SECP256R1_SHA256:
@@ -1925,29 +1925,29 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
safari_signature_algorithms, chrome_signature_algorithms);
#endif
- if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0,
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
+ if(flow->protos.tls_quic.browser_heuristics.is_firefox_tls)
+ flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0,
+ flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0;
if(safari_signature_algorithms != 8)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
+ flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0;
if((chrome_signature_algorithms != 8) || duplicate_found)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
+ flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0;
/* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */
- if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
+ if(flow->protos.tls_quic.browser_heuristics.is_safari_tls)
+ flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0;
- if((flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls == 0)
+ if((flow->protos.tls_quic.browser_heuristics.is_chrome_tls == 0)
&& duplicate_found)
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */
+ flow->protos.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */
#ifdef DEBUG_HEURISTIC
printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n",
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls,
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls,
- flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls,
+ flow->protos.tls_quic.browser_heuristics.is_firefox_tls,
+ flow->protos.tls_quic.browser_heuristics.is_chrome_tls,
+ flow->protos..tls_quic.browser_heuristics.is_safari_tls,
duplicate_found);
#endif
@@ -2003,8 +2003,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
#endif
- if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
- flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
+ if(flow->protos.tls_quic.alpn == NULL)
+ flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str);
snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str);
@@ -2061,8 +2061,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("Client TLS [SUPPORTED_VERSIONS: %s]\n", ja3.client.supported_versions);
#endif
- if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions == NULL)
- flow->protos.tls_quic_stun.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
+ if(flow->protos.tls_quic.tls_supported_versions == NULL)
+ flow->protos.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
}
} else if(extension_id == 65486 /* encrypted server name */) {
/*
@@ -2074,7 +2074,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
int initial_offset = e_offset;
u_int16_t cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
- flow->protos.tls_quic_stun.tls_quic.encrypted_sni.cipher_suite = cipher_suite;
+ flow->protos.tls_quic.encrypted_sni.cipher_suite = cipher_suite;
e_offset += 2; /* Cipher suite len */
@@ -2097,17 +2097,17 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len);
#endif
- if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) {
- flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
+ if(flow->protos.tls_quic.encrypted_sni.esni == NULL) {
+ flow->protos.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
- if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni) {
+ if(flow->protos.tls_quic.encrypted_sni.esni) {
u_int16_t i, off;
for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
- int rc = sprintf(&flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
+ int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
if(rc <= 0) {
- flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off] = '\0';
+ flow->protos.tls_quic.encrypted_sni.esni[off] = '\0';
break;
} else
off += rc;
@@ -2240,19 +2240,19 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++) {
- rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_client[j],
- sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_client)-j, "%02x",
+ rc = snprintf(&flow->protos.tls_quic.ja3_client[j],
+ sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x",
md5_hash[i]);
if(rc > 0) j += rc; else break;
}
#ifdef DEBUG_JA3C
- printf("[JA3] Client: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_client);
+ printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client);
#endif
if(ndpi_struct->malicious_ja3_automa.ac_automa != NULL) {
u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_ja3_automa.ac_automa,
- flow->protos.tls_quic_stun.tls_quic.ja3_client);
+ flow->protos.tls_quic.ja3_client);
if(rc1 > 0)
ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3);
@@ -2260,22 +2260,22 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
}
/* Before returning to the caller we need to make a final check */
- if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
- && (flow->protos.tls_quic_stun.tls_quic.alpn == NULL) /* No ALPN */) {
+ if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
+ && (flow->protos.tls_quic.alpn == NULL) /* No ALPN */) {
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS);
}
/* Suspicious Domain Fronting:
https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
- if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni &&
- flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
+ if(flow->protos.tls_quic.encrypted_sni.esni &&
+ flow->protos.tls_quic.client_requested_server_name[0] != '\0') {
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
}
/* Add check for missing SNI */
- if((flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == 0)
- && (flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
- && (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
+ if((flow->protos.tls_quic.client_requested_server_name[0] == 0)
+ && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
+ && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
) {
/* This is a bit suspicious */
ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
@@ -2314,7 +2314,7 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st
__FUNCTION__,
flow->guessed_host_protocol_id,
packet->payload_packet_len,
- flow->protos.tls_quic_stun.tls_quic.ssl_version);
+ flow->protos.tls_quic.ssl_version);
#endif
if(packet->udp != NULL)
diff --git a/tests/pcap/dhcp-fuzz.pcapng b/tests/pcap/dhcp-fuzz.pcapng
new file mode 100644
index 000000000..d13b4a195
--- /dev/null
+++ b/tests/pcap/dhcp-fuzz.pcapng
Binary files differ
diff --git a/tests/pcap/kerberos_fuzz.pcapng b/tests/pcap/kerberos_fuzz.pcapng
new file mode 100644
index 000000000..02dca01a4
--- /dev/null
+++ b/tests/pcap/kerberos_fuzz.pcapng
Binary files differ
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index 834ac6ebe..83eff7c3b 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -73,8 +73,8 @@ JA3 Host Stats:
47 UDP [fe80::beee:7bff:fe0c:b3de]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][ClearText][cat: Network/14][4 pkts/392 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][14.54 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
48 UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/289 bytes][Goodput ratio: 52/85][0.01 sec][Host: dl-obs.official.line.naver.jp][203.69.81.73][PLAIN TEXT (official)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
49 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/TLS][Encrypted][cat: Web/5][4 pkts/220 bytes <-> 2 pkts/132 bytes][Goodput ratio: 2/0][45.01 sec][bytes ratio: 0.250 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/45002 14999/45002 44996/45002 21211/0][Pkt Len c2s/s2c min/avg/max/stddev: 55/66 55/66 55/66 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 50 UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: joanna-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][PLAIN TEXT (Joanna)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 51 UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: kevin-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][PLAIN TEXT (MSFT 5.07)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 50 UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: joanna-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (Joanna)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 51 UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: kevin-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (MSFT 5.07)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
52 UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][ClearText][cat: Streaming/17][2 pkts/146 bytes <-> 1 pkts/137 bytes][Goodput ratio: 42/69][0.05 sec][Host: pic.1kxun.com][106.187.35.246][Plen Bins: 66,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
53 UDP 192.168.0.104:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][3 pkts/276 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.54 sec][Host: sc.arrancar.org][PLAIN TEXT ( FDEDCOEBFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
54 UDP 192.168.115.8:51024 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][ClearText][cat: Streaming/17][2 pkts/160 bytes <-> 1 pkts/112 bytes][Goodput ratio: 47/62][0.02 sec][Host: jp.kankan.1kxun.mobi][106.185.35.110][PLAIN TEXT (kankan)][Plen Bins: 0,66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/alexa-app.pcapng.out b/tests/result/alexa-app.pcapng.out
index e4e375c92..1e82af37b 100644
--- a/tests/result/alexa-app.pcapng.out
+++ b/tests/result/alexa-app.pcapng.out
@@ -129,7 +129,7 @@ JA3 Host Stats:
105 TCP 172.16.42.216:45679 <-> 52.94.232.134:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][8 pkts/750 bytes <-> 5 pkts/428 bytes][Goodput ratio: 40/32][1.90 sec][ALPN: h2;http/1.1][bytes ratio: 0.273 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 44/87 101/159 37/66][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/86 293/139 78/32][Risk: ** Weak TLS cipher **** Possibly Malicious JA3 Fingerprint **][Risk Score: 150][TLSv1.2][Client: pitangui.amazon.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][JA3S: 18e962e106761869a61045bed0e81c2c (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,50,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
106 TCP 172.16.42.216:35540 <-> 172.217.9.142:80 [proto: 7.126/HTTP.Google][ClearText][cat: ConnCheck/30][4 pkts/460 bytes <-> 3 pkts/289 bytes][Goodput ratio: 41/29][0.09 sec][Host: connectivitycheck.android.com][bytes ratio: 0.228 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 30/24 45/48 20/24][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 115/96 254/149 80/37][URL: connectivitycheck.android.com/generate_204][StatusCode: 204][User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build/LMY47V)][PLAIN TEXT (GET /generate)][Plen Bins: 0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
107 TCP 172.16.42.216:60246 <-> 172.217.9.142:80 [proto: 7.126/HTTP.Google][ClearText][cat: ConnCheck/30][4 pkts/460 bytes <-> 3 pkts/289 bytes][Goodput ratio: 41/29][0.14 sec][Host: connectivitycheck.android.com][bytes ratio: 0.228 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/8 45/48 94/89 37/40][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 115/96 254/149 80/37][URL: connectivitycheck.android.com/generate_204][StatusCode: 204][User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build/LMY47V)][PLAIN TEXT (GET /generate)][Plen Bins: 0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 108 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][2 pkts/714 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][Host: android-1c1335ec95a27318][DHCP Fingerprint: 1,33,3,6,15,26,28][PLAIN TEXT (android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 108 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][2 pkts/714 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][Host: android-1c1335ec95a27318][DHCP Fingerprint: 1,33,3,6,15,26,28][DHCP Class Ident: dhcpcd-5.5.6][PLAIN TEXT (android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
109 TCP 172.16.42.216:40200 -> 10.201.126.241:8080 [proto: 131/HTTP_Proxy][ClearText][cat: Web/5][8 pkts/572 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][127.39 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 990/0 18197/0 64239/0 21317/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 72/0 74/0 7/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
110 TCP 172.16.42.216:40202 -> 10.201.126.241:8080 [proto: 131/HTTP_Proxy][ClearText][cat: Web/5][8 pkts/572 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][127.28 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1069/0 18182/0 64160/0 21286/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 72/0 74/0 7/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
111 TCP 172.16.42.216:49627 <-> 52.94.232.134:80 [proto: 7.265/HTTP.AmazonAWS][ClearText][cat: Cloud/13][6 pkts/364 bytes <-> 3 pkts/184 bytes][Goodput ratio: 0/0][1.34 sec][bytes ratio: 0.328 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/0 267/0 997/0 373/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 61/61 74/62 9/1][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/dhcp-fuzz.pcapng.out b/tests/result/dhcp-fuzz.pcapng.out
new file mode 100644
index 000000000..d2c21e0ff
--- /dev/null
+++ b/tests/result/dhcp-fuzz.pcapng.out
@@ -0,0 +1,7 @@
+Guessed flow protos: 1
+
+DPI Packets (UDP): 1 (1.00 pkts/flow)
+
+DHCP 1 342 1
+
+ 1 UDP 192.168.155.104:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (MK03862)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/fuzz-2006-06-26-2594.pcap.out b/tests/result/fuzz-2006-06-26-2594.pcap.out
index 57ceb9ec3..60bd4a672 100644
--- a/tests/result/fuzz-2006-06-26-2594.pcap.out
+++ b/tests/result/fuzz-2006-06-26-2594.pcap.out
@@ -20,7 +20,7 @@ SIP 85 39540 15
4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Host: ProFTPD][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 192.168.1.2:5060 -> 212.242.33.35:17860 [proto: 100/SIP][ClearText][cat: VoIP/10][1 pkts/1118 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (INVITE six)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][ClearText][cat: Media/1][5 pkts/1070 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.05 sec][PLAIN TEXT (goxcffj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 7 UDP 192.168.1.2:68 <-> 192.168.1.1:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes <-> 1 pkts/590 bytes][Goodput ratio: 87/93][0.00 sec][Host: d002465][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,43][PLAIN TEXT (002465Q)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 7 UDP 192.168.1.2:68 <-> 192.168.1.1:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes <-> 1 pkts/590 bytes][Goodput ratio: 87/93][0.00 sec][Host: d002465][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,43][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (002465Q)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 UDP 192.168.1.41:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][ClearText][cat: System/18][4 pkts/891 bytes -> 0 pkts/0 bytes][Goodput ratio: 81/0][665.91 sec][Host: lab111][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT ( EMEBECDBDBDBCACACACACACACACACA)][Plen Bins: 0,0,0,0,0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
9 UDP 192.168.1.2:5060 -> 200.68.120.81:4932 [proto: 100/SIP][ClearText][cat: VoIP/10][1 pkts/864 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][PLAIN TEXT (INVITE sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
10 UDP 192.168.1.41:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][7 pkts/644 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][13.52 sec][Host: workgroup][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 751/0 2253/0 4255/0 1348/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/kerberos_fuzz.pcapng.out b/tests/result/kerberos_fuzz.pcapng.out
new file mode 100644
index 000000000..cb43450dd
--- /dev/null
+++ b/tests/result/kerberos_fuzz.pcapng.out
@@ -0,0 +1,7 @@
+Guessed flow protos: 1
+
+DPI Packets (TCP): 1 (1.00 pkts/flow)
+
+Kerberos 1 288 1
+
+ 1 TCP 126.4.1.0:88 -> 19.0.0.0:53646 [proto: 111/Kerberos][ClearText][cat: Network/14][1 pkts/288 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][r1ióóóca\][PLAIN TEXT (/S.2T )][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out
index b29dfbe5f..25fd0bd81 100644
--- a/tests/result/teams.pcap.out
+++ b/tests/result/teams.pcap.out
@@ -66,7 +66,7 @@ JA3 Host Stats:
40 TCP 192.168.1.6:60566 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][Encrypted][cat: Network/14][9 pkts/3029 bytes <-> 8 pkts/2213 bytes][Goodput ratio: 80/76][2.73 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.156 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 351/431 1977/2053 668/728][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 337/277 1012/1291 385/397][Risk: ** Known protocol on non standard port **][Risk Score: 50][TLSv1.2][Client: dati.ntop.org][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,14,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,14,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0]
41 TCP 192.168.1.6:60546 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][Encrypted][cat: Network/14][10 pkts/2195 bytes <-> 10 pkts/2077 bytes][Goodput ratio: 69/68][5.38 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 650/754 5000/5000 1645/1734][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/208 1021/1292 308/364][Risk: ** Known protocol on non standard port **][Risk Score: 50][TLSv1.2][Client: dati.ntop.org][JA3C: 7120d65624bcd2e02ed4b01388d84cdb][JA3S: 410b9bedaf65dd26c6fe547154d60db4][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0]
42 UDP 192.168.1.6:50036 <-> 52.114.250.137:3478 [proto: 78.250/STUN.Teams][ClearText][cat: VoIP/10][5 pkts/1390 bytes <-> 4 pkts/733 bytes][Goodput ratio: 85/77][4.06 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/100 1003/774 2235/2092 994/932][Pkt Len c2s/s2c min/avg/max/stddev: 228/174 278/183 314/198 33/10][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,44,11,11,11,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Host: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 43 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][6 pkts/1926 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][25.01 sec][Host: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4986/0 5001/0 5018/0 11/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
44 UDP 192.168.1.6:50016 <-> 52.114.250.141:3478 [proto: 78.250/STUN.Teams][ClearText][cat: VoIP/10][4 pkts/1162 bytes <-> 3 pkts/546 bytes][Goodput ratio: 85/77][1.99 sec][bytes ratio: 0.361 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/98 611/101 1783/104 829/3][Pkt Len c2s/s2c min/avg/max/stddev: 256/174 290/182 314/198 25/11][PLAIN TEXT (rtcmedia)][Plen Bins: 0,0,0,0,42,0,14,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
45 TCP 93.62.150.157:443 <-> 192.168.1.6:60512 [proto: 91/TLS][Encrypted][cat: Web/5][2 pkts/1258 bytes <-> 2 pkts/108 bytes][Goodput ratio: 89/0][< 1 sec][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0]
46 UDP 192.168.1.6:50017 <-> 52.114.250.141:3478 [proto: 78.250/STUN.Teams][ClearText][cat: VoIP/10][3 pkts/594 bytes <-> 3 pkts/611 bytes][Goodput ratio: 79/79][4.05 sec][bytes ratio: -0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 99/97 2002/2002 3906/3906 1904/1904][Pkt Len c2s/s2c min/avg/max/stddev: 110/187 198/204 256/229 63/18][PLAIN TEXT (The request did not contain a M)][Plen Bins: 0,0,16,0,33,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/telegram.pcap.out b/tests/result/telegram.pcap.out
index fadcdf83c..3e955cce4 100644
--- a/tests/result/telegram.pcap.out
+++ b/tests/result/telegram.pcap.out
@@ -23,7 +23,7 @@ GoogleServices 2 186 1
3 UDP [fe80::4ba:91a:7817:e318]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][ClearText][cat: Network/14][120 pkts/27243 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][58.59 sec][Host: _dacp._tcp.local][_dacp._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 504/0 17386/0 1760/0][Pkt Len c2s/s2c min/avg/max/stddev: 162/0 227/0 489/0 65/0][PLAIN TEXT (iTunes)][Plen Bins: 0,0,0,50,8,20,0,5,15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 UDP 192.168.1.77:23174 <-> 91.108.8.7:521 [proto: 185/Telegram][Encrypted][cat: Chat/9][57 pkts/12266 bytes <-> 66 pkts/14180 bytes][Goodput ratio: 80/80][4.58 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 78/65 500/308 73/53][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 215/215 282/298 59/49][Plen Bins: 0,4,6,8,0,27,38,14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 192.168.1.75:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][ClearText][cat: Network/14][120 pkts/24843 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][58.59 sec][Host: _dacp._tcp.local][_dacp._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 504/0 17387/0 1760/0][Pkt Len c2s/s2c min/avg/max/stddev: 142/0 207/0 469/0 65/0][PLAIN TEXT (iTunes)][Plen Bins: 0,0,0,50,8,20,0,5,15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 6 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][12 pkts/3852 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][54.99 sec][Host: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4886/0 4987/0 5017/0 36/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 6 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][12 pkts/3852 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][54.99 sec][Host: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4886/0 4987/0 5017/0 36/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 UDP 192.168.1.77:5353 -> 192.168.1.75:5353 [proto: 8/MDNS][ClearText][cat: Network/14][9 pkts/2880 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][56.23 sec][Host: _companion-link._tcp.local][_companion-link._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3480/0 7028/0 31577/0 9279/0][Pkt Len c2s/s2c min/avg/max/stddev: 320/0 320/0 320/0 0/0][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 UDP 192.168.1.77:50822 <-> 216.58.205.68:443 [proto: 188.126/QUIC.Google][Encrypted][cat: Web/5][2 pkts/1462 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 94/97][0.03 sec][User-Agent: beta Chrome/83.0.4103.34 Intel Mac OS X 10_13_6][Client: www.google.com][PLAIN TEXT (www.google.com)][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0]
9 UDP 192.168.1.77:61974 <-> 216.58.205.68:443 [proto: 188.126/QUIC.Google][Encrypted][cat: Web/5][2 pkts/1462 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 94/97][0.03 sec][User-Agent: beta Chrome/83.0.4103.34 Intel Mac OS X 10_13_6][Client: www.google.com][PLAIN TEXT (www.google.com)][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0]
diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out
index 483ad4b83..42999d51b 100644
--- a/tests/result/zoom.pcap.out
+++ b/tests/result/zoom.pcap.out
@@ -41,7 +41,7 @@ JA3 Host Stats:
17 UDP 192.168.1.117:23903 <-> 162.255.38.14:3478 [proto: 78.189/STUN.Zoom][ClearText][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
18 UDP 192.168.1.117:23903 <-> 162.255.38.14:3479 [proto: 78.189/STUN.Zoom][ClearText][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Risk: ** Known protocol on non standard port **][Risk Score: 50][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
19 UDP 192.168.1.117:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][3 pkts/330 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Host: workgroup][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 20 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/321 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: tl-sg116e][DHCP Fingerprint: 1,3][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 20 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/321 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Host: tl-sg116e][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
21 TCP 192.168.1.117:54341 -> 62.149.152.153:993 [proto: 51/IMAPS][Encrypted][cat: Email/3][2 pkts/226 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][3.59 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
22 UDP 192.168.1.117:65394 <-> 192.168.1.1:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/65 bytes <-> 1 pkts/140 bytes][Goodput ratio: 35/70][0.04 sec][Host: local][::][PLAIN TEXT (servers)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
23 UDP 192.168.1.117:51185 <-> 192.168.1.1:53 [proto: 5.189/DNS.Zoom][ClearText][cat: Video/26][1 pkts/80 bytes <-> 1 pkts/96 bytes][Goodput ratio: 47/56][0.04 sec][Host: zoomfrn99mmr.zoom.us][109.94.160.99][PLAIN TEXT (zoomfrn)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.