diff options
| -rw-r--r-- | doc/configuration_parameters.md | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 30 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 41 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/dns.pcap | bin | 0 -> 868 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/dns.pcap.out | 30 | ||||
| -rw-r--r-- | tests/cfgs/dns_process_response_disable/config.txt | 1 | ||||
| l--------- | tests/cfgs/dns_process_response_disable/pcap/dns.pcap | 1 | ||||
| -rw-r--r-- | tests/cfgs/dns_process_response_disable/result/dns.pcap.out | 30 | ||||
| -rw-r--r-- | tests/cfgs/dns_subclassification_and_process_response_disable/config.txt | 1 | ||||
| l--------- | tests/cfgs/dns_subclassification_and_process_response_disable/pcap/dns.pcap | 1 | ||||
| -rw-r--r-- | tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out | 29 | ||||
| -rw-r--r-- | tests/cfgs/dns_subclassification_disable/config.txt | 1 | ||||
| l--------- | tests/cfgs/dns_subclassification_disable/pcap/dns.pcap | 1 | ||||
| -rw-r--r-- | tests/cfgs/dns_subclassification_disable/result/dns.pcap.out | 29 |
16 files changed, 187 insertions, 16 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index c92969038..b19850d81 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -26,6 +26,8 @@ TODO | "pop" | "tls_dissection.enable" | 1 | NULL | NULL | Enable/disable dissection of TLS packets in cleartext POP flows (because of opportunistic TLS, via STARTTLS msg) | | "ftp" | "tls_dissection.enable" | 1 | NULL | NULL | Enable/disable dissection of TLS packets in cleartext FTP flows (because of opportunistic TLS, via AUTH TLS msg) | | "stun" | "tls_dissection.enable" | 1 | NULL | NULL | Enable/disable dissection of TLS packets multiplexed into STUN flows | +| "dns" | "subclassification.enable" | 1 | NULL | NULL | Enable/disable sub-classification of DNS flows (via query/response domain name). If disabled, some flow risks are not checked | +| "dns" | "process_response.enable" | 1 | NULL | NULL | Enable/disable processing of DNS responses. By default, DNS flows are fully classified after the first request/response pair (or after the first response, if the request is missing). If this parameter is disabled, the flows are fully classified after the first packet, i.e. usually after the first request; in that case, some flow risks are not checked and some metadata are not exported | | "http" | "process_response.enable" | 1 | NULL | NULL | Enable/disable processing of HTTP responses. By default, HTTP flows are usually fully classified after the first request/response pair. If this parameter is disabled, the flows are fully classified after the first request (or after the first response, if the request is missing); in that case, some flow risks are not checked and some metadata are not exported | | "ookla" | "aggressiveness", | 0x01 | 0x00 | 0x01 | Detection aggressiveness for Ookla. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable heuristic for detection over TLS (via Ookla LRU cache) | | $PROTO_NAME | "ip_list.load" | 1 | NULL | NULL | Enable/disable loading of internal list of IP addresses (used for (sub)classification) specific to that protocol. Use "any" as protocol name if you want to easily enable/disable all lists. This knob is valid only for the following protocols: Alibaba, Amazon AWS, Apple, Avast, Bloomberg, Cachefly, Cloudflare, Discord, Disney+, Dropbox, Edgecast, EpicGames, Ethereum, Facebook, Github, Google, Google Cloud, GoTo, Hotspot Shield, Hulu, Line, Microsoft 365, Microsoft Azure, Microsoft One Drive, Microsoft Outlook, Mullvad, Netflix, Nvidia, OpenDNS, ProtonVPN, RiotGames, Roblox, Skype/Teams, Starcraft, Steam, Teamviewer, Telegram, Tencent, Threema, TOR, Twitch, Twitter, UbuntuONE, VK, Yandex, Yandex Cloud, Webex, Whatsapp, Zoom | diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 955948255..eda75111f 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -120,6 +120,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, "dns", "subclassification.enable", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, "dns", "process_response.enable", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, "http", "process_response.enable", cfg_value); } if(fuzzed_data.ConsumeBool()) { @@ -153,6 +163,26 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "flow.track_payload.enable", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "tcp_ack_payload_heuristic.enable", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "fully_encrypted_heuristic.enable", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "libgcrypt.init", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "flow_risk_lists.load", cfg_value); } if(fuzzed_data.ConsumeBool()) { diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index cf857be23..0de05c817 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -205,6 +205,9 @@ struct ndpi_detection_module_config_struct { int stun_opportunistic_tls_enabled; + int dns_subclassification_enabled; + int dns_parse_response_enabled; + int http_parse_response_enabled; int ookla_aggressiveness; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index d3282c7da..8e0c8b278 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -10790,6 +10790,9 @@ static const struct cfg_param { { "stun", "tls_dissection.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(stun_opportunistic_tls_enabled) }, + { "dns", "subclassification.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_subclassification_enabled) }, + { "dns", "process_response.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_parse_response_enabled) }, + { "http", "process_response.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_parse_response_enabled) }, { "ookla", "aggressiveness", "0x01", "0", "1", CFG_PARAM_INT, __OFF(ookla_aggressiveness) }, diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 8bef69461..112c2ad50 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -785,23 +785,30 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st } if(len > 0) { - ndpi_protocol_match_result ret_match; + if(ndpi_struct->cfg.dns_subclassification_enabled) { + ndpi_protocol_match_result ret_match; - ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, - flow->host_server_name, - strlen(flow->host_server_name), - &ret_match, + ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, + flow->host_server_name, + strlen(flow->host_server_name), + &ret_match, NDPI_PROTOCOL_DNS); + + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) + ret.master_protocol = checkDNSSubprotocol(s_port, d_port); + else + ret.master_protocol = NDPI_PROTOCOL_DNS; + + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); + } else { + ret.master_protocol = checkDNSSubprotocol(s_port, d_port); + ret.app_protocol = NDPI_PROTOCOL_UNKNOWN; + } + /* Category is always NDPI_PROTOCOL_CATEGORY_NETWORK, regardless of the subprotocol */ flow->category = NDPI_PROTOCOL_CATEGORY_NETWORK; - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) - ret.master_protocol = checkDNSSubprotocol(s_port, d_port); - else - ret.master_protocol = NDPI_PROTOCOL_DNS; - - ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); } /* Report if this is a DNS query or reply */ @@ -811,11 +818,13 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol, NDPI_CONFIDENCE_DPI); - /* We have never triggered extra-dissection for LLMNR. Keep the old behaviour */ - if(ret.master_protocol != NDPI_PROTOCOL_LLMNR) { - /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */ - flow->max_extra_packets_to_check = 5; - flow->extra_packets_func = search_dns_again; + if(ndpi_struct->cfg.dns_parse_response_enabled) { + /* We have never triggered extra-dissection for LLMNR. Keep the old behaviour */ + if(ret.master_protocol != NDPI_PROTOCOL_LLMNR) { + /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */ + flow->max_extra_packets_to_check = 5; + flow->extra_packets_func = search_dns_again; + } } return; /* The response will set the verdict */ } diff --git a/tests/cfgs/default/pcap/dns.pcap b/tests/cfgs/default/pcap/dns.pcap Binary files differnew file mode 100644 index 000000000..e75aeff6a --- /dev/null +++ b/tests/cfgs/default/pcap/dns.pcap diff --git a/tests/cfgs/default/result/dns.pcap.out b/tests/cfgs/default/result/dns.pcap.out new file mode 100644 index 000000000..768b51b97 --- /dev/null +++ b/tests/cfgs/default/result/dns.pcap.out @@ -0,0 +1,30 @@ +DPI Packets (UDP): 3 (1.50 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 3/3 (search/found) +Automa domain: 3/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Google 3 226 1 +WhatsApp 2 310 1 + +Acceptable 5 536 2 + + 1 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5.142/DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][169.45.219.235][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5.126/DNS.Google][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.l.google.com][::][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/dns_process_response_disable/config.txt b/tests/cfgs/dns_process_response_disable/config.txt new file mode 100644 index 000000000..028879f70 --- /dev/null +++ b/tests/cfgs/dns_process_response_disable/config.txt @@ -0,0 +1 @@ +--cfg=dns,process_response.enable,0 diff --git a/tests/cfgs/dns_process_response_disable/pcap/dns.pcap b/tests/cfgs/dns_process_response_disable/pcap/dns.pcap new file mode 120000 index 000000000..aea7db12b --- /dev/null +++ b/tests/cfgs/dns_process_response_disable/pcap/dns.pcap @@ -0,0 +1 @@ +../../default/pcap/dns.pcap
\ No newline at end of file diff --git a/tests/cfgs/dns_process_response_disable/result/dns.pcap.out b/tests/cfgs/dns_process_response_disable/result/dns.pcap.out new file mode 100644 index 000000000..53f29a7f5 --- /dev/null +++ b/tests/cfgs/dns_process_response_disable/result/dns.pcap.out @@ -0,0 +1,30 @@ +DPI Packets (UDP): 2 (1.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 2/2 (search/found) +Automa domain: 2/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Google 3 226 1 +WhatsApp 2 310 1 + +Acceptable 5 536 2 + + 1 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5.142/DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][::][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5.126/DNS.Google][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.l.google.com][::][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/dns_subclassification_and_process_response_disable/config.txt b/tests/cfgs/dns_subclassification_and_process_response_disable/config.txt new file mode 100644 index 000000000..85e59f245 --- /dev/null +++ b/tests/cfgs/dns_subclassification_and_process_response_disable/config.txt @@ -0,0 +1 @@ +--cfg=dns,subclassification.enable,0 --cfg=dns,process_response.enable,0 diff --git a/tests/cfgs/dns_subclassification_and_process_response_disable/pcap/dns.pcap b/tests/cfgs/dns_subclassification_and_process_response_disable/pcap/dns.pcap new file mode 120000 index 000000000..aea7db12b --- /dev/null +++ b/tests/cfgs/dns_subclassification_and_process_response_disable/pcap/dns.pcap @@ -0,0 +1 @@ +../../default/pcap/dns.pcap
\ No newline at end of file diff --git a/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out new file mode 100644 index 000000000..08b023648 --- /dev/null +++ b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out @@ -0,0 +1,29 @@ +DPI Packets (UDP): 2 (1.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 2/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DNS 5 536 2 + +Acceptable 5 536 2 + + 1 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][::][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.l.google.com][::][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/dns_subclassification_disable/config.txt b/tests/cfgs/dns_subclassification_disable/config.txt new file mode 100644 index 000000000..09cc4f225 --- /dev/null +++ b/tests/cfgs/dns_subclassification_disable/config.txt @@ -0,0 +1 @@ +--cfg=dns,subclassification.enable,0 diff --git a/tests/cfgs/dns_subclassification_disable/pcap/dns.pcap b/tests/cfgs/dns_subclassification_disable/pcap/dns.pcap new file mode 120000 index 000000000..aea7db12b --- /dev/null +++ b/tests/cfgs/dns_subclassification_disable/pcap/dns.pcap @@ -0,0 +1 @@ +../../default/pcap/dns.pcap
\ No newline at end of file diff --git a/tests/cfgs/dns_subclassification_disable/result/dns.pcap.out b/tests/cfgs/dns_subclassification_disable/result/dns.pcap.out new file mode 100644 index 000000000..51f6be64a --- /dev/null +++ b/tests/cfgs/dns_subclassification_disable/result/dns.pcap.out @@ -0,0 +1,29 @@ +DPI Packets (UDP): 3 (1.50 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 2/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 1/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +DNS 5 536 2 + +Acceptable 5 536 2 + + 1 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][169.45.219.235][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.l.google.com][::][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |