diff options
| -rw-r--r-- | example/ndpiReader.c | 100 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 100 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 22 | ||||
| -rw-r--r-- | tests/result/whatsapp_login_call.pcap.out | 7 |
4 files changed, 161 insertions, 68 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 01e0864cc..b24e61091 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -584,15 +584,21 @@ void printCSVHeader() { fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,"); fprintf(csv_fp, "src2dst_packets,src2dst_bytes,dst2src_packets,dst2src_bytes,"); fprintf(csv_fp, "data_ratio,str_data_ratio,"); - + /* IAT (Inter Arrival Time) */ fprintf(csv_fp, "iat_flow_min,iat_flow_avg,iat_flow_max,iat_flow_stddev,"); fprintf(csv_fp, "iat_c_to_s_min,iat_c_to_s_avg,iat_c_to_s_max,iat_c_to_s_stddev,"); fprintf(csv_fp, "iat_s_to_c_min,iat_s_to_c_avg,iat_s_to_c_max,iat_s_to_c_stddev,"); -/* Packet Length */ - fprintf(csv_fp, "pktlen_c_to_s_min,pktlen_c_to_s_avg,pktlen_c_to_s_max,pktlen_c_to_s_stddev"); - fprintf(csv_fp, "pktlen_s_to_c_min,pktlen_s_to_c_avg,pktlen_s_to_c_max,pktlen_s_to_c_stddev"); + /* Packet Length */ + fprintf(csv_fp, "pktlen_c_to_s_min,pktlen_c_to_s_avg,pktlen_c_to_s_max,pktlen_c_to_s_stddev,"); + fprintf(csv_fp, "pktlen_s_to_c_min,pktlen_s_to_c_avg,pktlen_s_to_c_max,pktlen_s_to_c_stddev,"); + + /* Flow info */ + fprintf(csv_fp, "client_info,server_info,"); + fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,"); + fprintf(csv_fp, "tls_server_info,ja3s,tls_server_unsafe,"); + fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh"); fprintf(csv_fp, "\n"); } @@ -970,6 +976,23 @@ static char* print_cipher(ndpi_cipher_weakness c) { /* ********************************** */ +static char* is_unsafe_cipher(ndpi_cipher_weakness c) { + switch(c) { + case ndpi_cipher_insecure: + return("INSECURE"); + break; + + case ndpi_cipher_weak: + return("WEAK"); + break; + + default: + return("OK"); + } +} + +/* ********************************** */ + /** * @brief Print the flow */ @@ -1001,22 +1024,39 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(csv_fp, "%u,%llu,", flow->src2dst_packets, (long long unsigned int) flow->src2dst_bytes); fprintf(csv_fp, "%u,%llu,", flow->dst2src_packets, (long long unsigned int) flow->dst2src_bytes); - fprintf(csv_fp, "%.3f,%s,", data_ratio, ndpi_data_ratio2str(data_ratio)); - + /* IAT (Inter Arrival Time) */ - fprintf(csv_fp, "%u,%.1f,%u,%.1f", + fprintf(csv_fp, "%u,%.1f,%u,%.1f,", ndpi_data_min(flow->iat_flow), ndpi_data_average(flow->iat_flow), ndpi_data_max(flow->iat_flow), ndpi_data_stddev(flow->iat_flow)); - fprintf(csv_fp, "%u,%.1f,%u,%.1f,%u,%.1f,%u,%.1f", + fprintf(csv_fp, "%u,%.1f,%u,%.1f,%u,%.1f,%u,%.1f,", ndpi_data_min(flow->iat_c_to_s), ndpi_data_average(flow->iat_c_to_s), ndpi_data_max(flow->iat_c_to_s), ndpi_data_stddev(flow->iat_c_to_s), ndpi_data_min(flow->iat_s_to_c), ndpi_data_average(flow->iat_s_to_c), ndpi_data_max(flow->iat_s_to_c), ndpi_data_stddev(flow->iat_s_to_c)); /* Packet Length */ - fprintf(csv_fp, "%u,%.1f,%u,%.1f,%u,%.1f,%u,%.1f", + fprintf(csv_fp, "%u,%.1f,%u,%.1f,%u,%.1f,%u,%.1f,", ndpi_data_min(flow->pktlen_c_to_s), ndpi_data_average(flow->pktlen_c_to_s), ndpi_data_max(flow->pktlen_c_to_s), ndpi_data_stddev(flow->pktlen_c_to_s), ndpi_data_min(flow->pktlen_s_to_c), ndpi_data_average(flow->pktlen_s_to_c), ndpi_data_max(flow->pktlen_s_to_c), ndpi_data_stddev(flow->pktlen_s_to_c)); + fprintf(csv_fp, "%s,%s,", + (flow->ssh_tls.client_info[0] != '\0') ? flow->ssh_tls.client_info : "", + (flow->ssh_tls.server_info[0] != '\0') ? flow->ssh_tls.server_info : ""); + + fprintf(csv_fp, "%s,%s,%s,", + (flow->ssh_tls.ssl_version != 0) ? ndpi_ssl_version2str(flow->ssh_tls.ssl_version) : "", + (flow->ssh_tls.ja3_client[0] != '\0') ? flow->ssh_tls.ja3_client : "", + (flow->ssh_tls.ja3_client[0] != '\0') ? is_unsafe_cipher(flow->ssh_tls.client_unsafe_cipher) : ""); + + fprintf(csv_fp, "%s,%s,", + (flow->ssh_tls.ja3_server[0] != '\0') ? flow->ssh_tls.ja3_server : "", + (flow->ssh_tls.ja3_server[0] != '\0') ? is_unsafe_cipher(flow->ssh_tls.server_unsafe_cipher) : ""); + + fprintf(csv_fp, "%s,%s", + (flow->ssh_tls.client_hassh[0] != '\0') ? flow->ssh_tls.client_hassh : "", + (flow->ssh_tls.server_hassh[0] != '\0') ? flow->ssh_tls.server_hassh : "" + ); + fprintf(csv_fp, "\n"); } @@ -2271,13 +2311,22 @@ void printPortStats(struct port_stats *stats) { /* *********************************************** */ static void printFlowsStats() { + int thread_id; + u_int32_t total_flows = 0; + FILE *out = results_file ? results_file : stdout; + if(enable_payload_analyzer) ndpi_report_payload_stats(); + for(thread_id = 0; thread_id < num_threads; thread_id++) + total_flows += ndpi_thread_info[thread_id].workflow->num_allocated_flows; + + if((all_flows = (struct flow_info*)malloc(sizeof(struct flow_info)*total_flows)) == NULL) { + fprintf(out, "Fatal error: not enough memory\n"); + exit(-1); + } + if(verbose) { - int thread_id; - FILE *out = results_file ? results_file : stdout; - u_int32_t total_flows = 0; ndpi_host_ja3_fingerprints *ja3ByHostsHashT = NULL; // outer hash table ndpi_ja3_fingerprints_host *hostByJA3C_ht = NULL; // for client ndpi_ja3_fingerprints_host *hostByJA3S_ht = NULL; // for server @@ -2289,14 +2338,6 @@ static void printFlowsStats() { unsigned int num_ja3_client; unsigned int num_ja3_server; - for(thread_id = 0; thread_id < num_threads; thread_id++) - total_flows += ndpi_thread_info[thread_id].workflow->num_allocated_flows; - - if((all_flows = (struct flow_info*)malloc(sizeof(struct flow_info)*total_flows)) == NULL) { - fprintf(out, "Fatal error: not enough memory\n"); - exit(-1); - } - if(!json_flag) fprintf(out, "\n"); num_flows = 0; @@ -2625,8 +2666,8 @@ static void printFlowsStats() { qsort(all_flows, num_flows, sizeof(struct flow_info), cmpFlows); if(verbose > 1) { - for(i=0; i<num_flows; i++) - printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id); + for(i=0; i<num_flows; i++) + printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id); } for(thread_id = 0; thread_id < num_threads; thread_id++) { @@ -2657,8 +2698,21 @@ static void printFlowsStats() { for(i=0; i<num_flows; i++) printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id); - free(all_flows); + } else if(csv_fp != NULL) { + int i; + + num_flows = 0; + for(thread_id = 0; thread_id < num_threads; thread_id++) { + for(i=0; i<NUM_ROOTS; i++) + ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], + node_print_known_proto_walker, &thread_id); + } + + for(i=0; i<num_flows; i++) + printFlow(i+1, all_flows[i].flow, all_flows[i].thread_id); } + + free(all_flows); } /* *********************************************** */ diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 0ab3ed805..76a75fb8d 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -30,10 +30,8 @@ #define MAX_NUM_STUN_PKTS 8 -#if 0 -#define DEBUG_STUN 1 -#define DEBUG_LRU 1 -#endif +// #define DEBUG_STUN 1 +// #define DEBUG_LRU 1 struct stun_packet_header { u_int16_t msg_type, msg_len; @@ -52,9 +50,9 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { /* ************************************************************ */ -static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int app_proto, u_int proto) { +void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int app_proto, u_int proto) { if(ndpi_struct->stun_cache == NULL) ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); @@ -62,24 +60,40 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd && flow->packet.iph && flow->packet.udp && (app_proto != NDPI_PROTOCOL_UNKNOWN) - ) /* Cache flow sender info */ { + ) /* Cache flow sender info */ { u_int32_t key = get_stun_lru_key(flow, 0); u_int16_t cached_proto; - - if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { + + if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key, + &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { #ifdef DEBUG_LRU printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key, cached_proto, proto, app_proto); #endif - app_proto = cached_proto, proto = NDPI_PROTOCOL_STUN; - } else { + app_proto = cached_proto, proto = NDPI_PROTOCOL_STUN; + } else { + u_int32_t key1 = get_stun_lru_key(flow, 1); + + if(ndpi_lru_find_cache(ndpi_struct->stun_cache, key1, + &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { +#ifdef DEBUG_LRU + printf("[LRU] FOUND %u / %u: no need to cache %u.%u\n", key1, cached_proto, proto, app_proto); +#endif + app_proto = cached_proto, proto = NDPI_PROTOCOL_STUN; + } else { + if(app_proto != NDPI_PROTOCOL_STUN) { + /* No sense to ass STUN, but only subprotocols */ + #ifdef DEBUG_LRU - printf("[LRU] ADDING %u / %u.%u\n", key, proto, app_proto); + printf("[LRU] ADDING %u / %u.%u [%u -> %u]\n", key, proto, app_proto, + ntohs(flow->packet.udp->source), ntohs(flow->packet.udp->dest)); #endif - - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto); + + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto); + } + } } } - + ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, proto); } @@ -174,7 +188,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * ) printf("[STUN] Here we go\n");; #endif - + if(ndpi_struct->stun_cache) { u_int16_t proto; u_int32_t key = get_stun_lru_key(flow, 0); @@ -186,18 +200,18 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(!rc) { key = get_stun_lru_key(flow, 1); - rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */); + rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */); #ifdef DEBUG_LRU printf("[LRU] Searching %u\n", key); #endif } - + if(rc) { #ifdef DEBUG_LRU printf("[LRU] Cache FOUND %u / %u\n", key, proto); #endif - + flow->guessed_host_protocol_id = proto, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; switch(proto) { @@ -214,19 +228,19 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * flow->protos.stun_ssl.stun.is_skype = 1; break; } - + return(NDPI_IS_STUN); } else { #ifdef DEBUG_LRU printf("[LRU] NOT FOUND %u\n", key); -#endif - } +#endif + } } else { #ifdef DEBUG_LRU printf("[LRU] NO/EMPTY CACHE\n"); #endif } - + if(msg_type == 0x01 /* Binding Request */) { flow->protos.stun_ssl.stun.num_binding_requests++; @@ -235,10 +249,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * else flow->guessed_host_protocol_id = NDPI_PROTOCOL_STUN; - flow->protos.stun_ssl.stun.num_udp_pkts++; - - if(msg_len == 0) + if(msg_len == 0) { + flow->protos.stun_ssl.stun.num_udp_pkts++; return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */ + } } if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) { @@ -330,10 +344,17 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * for(j=0; j<i; j++) flow->host_server_name[j] = payload[k++]; +#ifdef DEBUG_STUN + printf("==> [%s]\n", flow->host_server_name); +#endif + if(strstr((char*)flow->host_server_name, "google.com") != NULL) { *is_duo = 1; flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; return(NDPI_IS_STUN); + } else if(strstr((char*)flow->host_server_name, "whispersystems.org") != NULL) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + return(NDPI_IS_STUN); } } } @@ -345,13 +366,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * *is_messenger = 1; return(NDPI_IS_STUN); } else if(msg_len == 76) { +#if 0 *is_duo = 1; - + if(1) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */ } else return(NDPI_IS_STUN); +#endif } } break; @@ -442,7 +465,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * udp_stun_found: if(can_this_be_whatsapp_voice) { struct ndpi_packet_struct *packet = &flow->packet; - + int rc; + flow->protos.stun_ssl.stun.num_processed_pkts++; #ifdef DEBUG_STUN printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n"); @@ -454,7 +478,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } else flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr))) ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE; - return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); + + rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN; + + if(rc == NDPI_IS_STUN) + ndpi_int_stun_add_connection(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_IS_STUN); + + return(rc); } else { /* We cannot immediately say that this is STUN as there are other protocols @@ -497,11 +527,14 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n } else if(is_duo) { ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); return; + } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) { + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN); + return; } else if(flow->protos.stun_ssl.stun.is_skype || (flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL)) { NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); // if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ ndpi_int_stun_add_connection(ndpi_struct, flow, @@ -519,13 +552,16 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n packet->payload_packet_len, &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - + if(is_messenger) { ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); return; } else if(is_duo) { ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); return; + } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) { + ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN); + return; } else if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index f468df8d8..8a4d0c3ac 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -918,17 +918,18 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, if(len < (sizeof(utcDate)-1)) { struct tm utc; + utc.tm_isdst = -1; /* Not set by strptime */ strncpy(utcDate, (const char*)&packet->payload[i+4], len); utcDate[len] = '\0'; /* 141021000000Z */ if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { + flow->protos.stun_ssl.ssl.notBefore = timegm(&utc); #ifdef DEBUG_TLS printf("[CERTIFICATE] notBefore %u [%s]\n", - (unsigned int)mktime(&utc), utcDate); + flow->protos.stun_ssl.ssl.notBefore, utcDate); #endif - flow->protos.stun_ssl.ssl.notBefore = timegm(&utc); } } @@ -948,17 +949,18 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, if(len < (sizeof(utcDate)-1)) { struct tm utc; + utc.tm_isdst = -1; /* Not set by strptime */ strncpy(utcDate, (const char*)&packet->payload[offset], len); utcDate[len] = '\0'; /* 141021000000Z */ if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { + flow->protos.stun_ssl.ssl.notAfter = timegm(&utc); #ifdef DEBUG_TLS printf("[CERTIFICATE] notAfter %u [%s]\n", - (unsigned int)mktime(&utc), utcDate); + flow->protos.stun_ssl.ssl.notAfter, utcDate); #endif - flow->protos.stun_ssl.ssl.notAfter = timegm(&utc); } } } @@ -1329,16 +1331,18 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { - u_int32_t key = get_stun_lru_key(flow, 1); - if(ndpi_struct->stun_cache == NULL) ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, NDPI_PROTOCOL_SIGNAL); + if(ndpi_struct->stun_cache) { #ifdef DEBUG_TLS - printf("[LRU] Adding Signal cached key %u\n", key); + printf("[LRU] Adding Signal cached keys\n"); #endif - + + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 0), NDPI_PROTOCOL_SIGNAL); + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 1), NDPI_PROTOCOL_SIGNAL); + } + /* In Signal protocol STUN turns into DTLS... */ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL); } else if(flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') { diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index bc61744db..8ea3807d2 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -1,7 +1,6 @@ HTTP 11 726 3 MDNS 8 952 4 DHCP 10 3420 1 -STUN 27 2322 2 ICMP 10 700 1 RTP 44 7818 2 TLS 8 589 2 @@ -9,7 +8,7 @@ Dropbox 4 2176 1 Apple 190 50263 21 WhatsApp 182 25154 2 Spotify 3 258 1 -WhatsAppVoice 732 92802 16 +WhatsAppVoice 759 95124 18 ApplePush 22 5926 1 JA3 Host Stats: @@ -29,8 +28,8 @@ JA3 Host Stats: 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 87/RTP][cat: Media/1][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1790.6/713.6 6986/6468 2740.8/1919.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] 11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)] 12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 116.9/111.0 275/175 106.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5] - 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78/STUN][cat: Network/14][15 pkts/1290 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.7/0.0 667/0 12.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] - 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78/STUN][cat: Network/14][12 pkts/1032 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.7/0.0 667/0 12.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] 15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0] 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] |