diff options
| -rw-r--r-- | example/ndpiReader.c | 2 | ||||
| -rw-r--r-- | example/ndpi_util.c | 264 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 5 | ||||
| -rw-r--r-- | src/lib/Makefile.in | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 525 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 620 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 2 | ||||
| -rw-r--r-- | tests/result/1kxun.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/6in4tunnel.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/KakaoTalk_chat.pcap.out | 10 | ||||
| -rw-r--r-- | tests/result/KakaoTalk_talk.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/dnscrypt.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/google_ssl.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/skype.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/skype_no_unknown.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/viber.pcap.out | 10 | ||||
| -rw-r--r-- | tests/result/waze.pcap.out | 24 | ||||
| -rw-r--r-- | tests/result/webex.pcap.out | 52 | ||||
| -rw-r--r-- | tests/result/whatsapp_login_call.pcap.out | 4 |
19 files changed, 801 insertions, 745 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 508050e12..87d86eaa0 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -845,7 +845,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->ssh_ssl.ja3_server[0] != '\0') fprintf(out, "[JA3S: %s%s]", flow->ssh_ssl.ja3_server, print_cipher(flow->ssh_ssl.server_unsafe_cipher)); if(flow->ssh_ssl.server_organization[0] != '\0') fprintf(out, "[organization: %s]", flow->ssh_ssl.server_organization); - if(flow->ssh_ssl.server_cipher != '\0') fprintf(out, "[%s]", print_cipher_id(flow->ssh_ssl.server_cipher));; + if(flow->ssh_ssl.server_cipher != '\0') fprintf(out, "[%s]", ndpi_cipher2str(flow->ssh_ssl.server_cipher));; if(flow->bittorent_hash[0] != '\0') fprintf(out, "[BT Hash: %s]", flow->bittorent_hash); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index c8d194e75..896332e08 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -102,270 +102,6 @@ static void *malloc_wrapper(size_t size) { /* ***************************************************** */ -const char* print_cipher_id(u_int32_t cipher) { - switch(cipher) { - case 0x000000: return("TLS_NULL_WITH_NULL_NULL"); - case 0x000001: return("TLS_RSA_WITH_NULL_MD5"); - case 0x000002: return("TLS_RSA_WITH_NULL_SHA"); - case 0x000003: return("TLS_RSA_EXPORT_WITH_RC4_40_MD5"); - case 0x000004: return("TLS_RSA_WITH_RC4_128_MD5"); - case 0x000005: return("TLS_RSA_WITH_RC4_128_SHA"); - case 0x000006: return("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"); - case 0x000007: return("TLS_RSA_WITH_IDEA_CBC_SHA"); - case 0x000008: return("TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"); - case 0x000009: return("TLS_RSA_WITH_DES_CBC_SHA"); - case 0x00000a: return("TLS_RSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00000b: return("TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"); - case 0x00000c: return("TLS_DH_DSS_WITH_DES_CBC_SHA"); - case 0x00000d: return("TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"); - case 0x00000e: return("TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"); - case 0x00000f: return("TLS_DH_RSA_WITH_DES_CBC_SHA"); - case 0x000010: return("TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"); - case 0x000011: return("TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); - case 0x000012: return("TLS_DHE_DSS_WITH_DES_CBC_SHA"); - case 0x000013: return("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"); - case 0x000014: return("TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"); - case 0x000015: return("TLS_DHE_RSA_WITH_DES_CBC_SHA"); - case 0x000016: return("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"); - case 0x000017: return("TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"); - case 0x000018: return("TLS_DH_anon_WITH_RC4_128_MD5"); - case 0x000019: return("TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"); - case 0x00001a: return("TLS_DH_anon_WITH_DES_CBC_SHA"); - case 0x00001b: return("TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"); - case 0x00001c: return("SSL_FORTEZZA_KEA_WITH_NULL_SHA"); - case 0x00001d: return("SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"); - /* case 0x00001e: return("SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"); */ - case 0x00001E: return("TLS_KRB5_WITH_DES_CBC_SHA"); - case 0x00001F: return("TLS_KRB5_WITH_3DES_EDE_CBC_SHA"); - case 0x000020: return("TLS_KRB5_WITH_RC4_128_SHA"); - case 0x000021: return("TLS_KRB5_WITH_IDEA_CBC_SHA"); - case 0x000022: return("TLS_KRB5_WITH_DES_CBC_MD5"); - case 0x000023: return("TLS_KRB5_WITH_3DES_EDE_CBC_MD5"); - case 0x000024: return("TLS_KRB5_WITH_RC4_128_MD5"); - case 0x000025: return("TLS_KRB5_WITH_IDEA_CBC_MD5"); - case 0x000026: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"); - case 0x000027: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"); - case 0x000028: return("TLS_KRB5_EXPORT_WITH_RC4_40_SHA"); - case 0x000029: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"); - case 0x00002A: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"); - case 0x00002B: return("TLS_KRB5_EXPORT_WITH_RC4_40_MD5"); - case 0x00002C: return("TLS_PSK_WITH_NULL_SHA"); - case 0x00002D: return("TLS_DHE_PSK_WITH_NULL_SHA"); - case 0x00002E: return("TLS_RSA_PSK_WITH_NULL_SHA"); - case 0x00002f: return("TLS_RSA_WITH_AES_128_CBC_SHA"); - case 0x000030: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA"); - case 0x000031: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA"); - case 0x000032: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); - case 0x000033: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA"); - case 0x000034: return("TLS_DH_anon_WITH_AES_128_CBC_SHA"); - case 0x000035: return("TLS_RSA_WITH_AES_256_CBC_SHA"); - case 0x000036: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA"); - case 0x000037: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA"); - case 0x000038: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA"); - case 0x000039: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA"); - case 0x00003A: return("TLS_DH_anon_WITH_AES_256_CBC_SHA"); - case 0x00003B: return("TLS_RSA_WITH_NULL_SHA256"); - case 0x00003C: return("TLS_RSA_WITH_AES_128_CBC_SHA256"); - case 0x00003D: return("TLS_RSA_WITH_AES_256_CBC_SHA256"); - case 0x00003E: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA256"); - case 0x00003F: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA256"); - case 0x000040: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"); - case 0x000041: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"); - case 0x000042: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"); - case 0x000043: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"); - case 0x000044: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"); - case 0x000045: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"); - case 0x000046: return("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"); - case 0x000047: return("TLS_ECDH_ECDSA_WITH_NULL_SHA"); - case 0x000048: return("TLS_ECDH_ECDSA_WITH_RC4_128_SHA"); - case 0x000049: return("TLS_ECDH_ECDSA_WITH_DES_CBC_SHA"); - case 0x00004A: return("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00004B: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"); - case 0x00004C: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); - case 0x000060: return("TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"); - case 0x000061: return("TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"); - case 0x000062: return("TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"); - case 0x000063: return("TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"); - case 0x000064: return("TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"); - case 0x000065: return("TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"); - case 0x000066: return("TLS_DHE_DSS_WITH_RC4_128_SHA"); - case 0x000067: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"); - case 0x000068: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA256"); - case 0x000069: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA256"); - case 0x00006A: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"); - case 0x00006B: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"); - case 0x00006C: return("TLS_DH_anon_WITH_AES_128_CBC_SHA256"); - case 0x00006D: return("TLS_DH_anon_WITH_AES_256_CBC_SHA256"); - case 0x000084: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"); - case 0x000085: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"); - case 0x000086: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"); - case 0x000087: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"); - case 0x000088: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"); - case 0x000089: return("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"); - case 0x00008A: return("TLS_PSK_WITH_RC4_128_SHA"); - case 0x00008B: return("TLS_PSK_WITH_3DES_EDE_CBC_SHA"); - case 0x00008C: return("TLS_PSK_WITH_AES_128_CBC_SHA"); - case 0x00008D: return("TLS_PSK_WITH_AES_256_CBC_SHA"); - case 0x00008E: return("TLS_DHE_PSK_WITH_RC4_128_SHA"); - case 0x00008F: return("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"); - case 0x000090: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA"); - case 0x000091: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA"); - case 0x000092: return("TLS_RSA_PSK_WITH_RC4_128_SHA"); - case 0x000093: return("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"); - case 0x000094: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA"); - case 0x000095: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA"); - case 0x000096: return("TLS_RSA_WITH_SEED_CBC_SHA"); - case 0x000097: return("TLS_DH_DSS_WITH_SEED_CBC_SHA"); - case 0x000098: return("TLS_DH_RSA_WITH_SEED_CBC_SHA"); - case 0x000099: return("TLS_DHE_DSS_WITH_SEED_CBC_SHA"); - case 0x00009A: return("TLS_DHE_RSA_WITH_SEED_CBC_SHA"); - case 0x00009B: return("TLS_DH_anon_WITH_SEED_CBC_SHA"); - case 0x00009C: return("TLS_RSA_WITH_AES_128_GCM_SHA256"); - case 0x00009D: return("TLS_RSA_WITH_AES_256_GCM_SHA384"); - case 0x00009E: return("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"); - case 0x00009F: return("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"); - case 0x0000A0: return("TLS_DH_RSA_WITH_AES_128_GCM_SHA256"); - case 0x0000A1: return("TLS_DH_RSA_WITH_AES_256_GCM_SHA384"); - case 0x0000A2: return("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"); - case 0x0000A3: return("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"); - case 0x0000A4: return("TLS_DH_DSS_WITH_AES_128_GCM_SHA256"); - case 0x0000A5: return("TLS_DH_DSS_WITH_AES_256_GCM_SHA384"); - case 0x0000A6: return("TLS_DH_anon_WITH_AES_128_GCM_SHA256"); - case 0x0000A7: return("TLS_DH_anon_WITH_AES_256_GCM_SHA384"); - case 0x0000A8: return("TLS_PSK_WITH_AES_128_GCM_SHA256"); - case 0x0000A9: return("TLS_PSK_WITH_AES_256_GCM_SHA384"); - case 0x0000AA: return("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"); - case 0x0000AB: return("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"); - case 0x0000AC: return("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"); - case 0x0000AD: return("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"); - case 0x0000AE: return("TLS_PSK_WITH_AES_128_CBC_SHA256"); - case 0x0000AF: return("TLS_PSK_WITH_AES_256_CBC_SHA384"); - case 0x0000B0: return("TLS_PSK_WITH_NULL_SHA256"); - case 0x0000B1: return("TLS_PSK_WITH_NULL_SHA384"); - case 0x0000B2: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"); - case 0x0000B3: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"); - case 0x0000B4: return("TLS_DHE_PSK_WITH_NULL_SHA256"); - case 0x0000B5: return("TLS_DHE_PSK_WITH_NULL_SHA384"); - case 0x0000B6: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"); - case 0x0000B7: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"); - case 0x0000B8: return("TLS_RSA_PSK_WITH_NULL_SHA256"); - case 0x0000B9: return("TLS_RSA_PSK_WITH_NULL_SHA384"); - case 0x0000BA: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"); - case 0x0000BB: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"); - case 0x0000BC: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"); - case 0x0000BD: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"); - case 0x0000BE: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"); - case 0x0000BF: return("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"); - case 0x0000C0: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"); - case 0x0000C1: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"); - case 0x0000C2: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"); - case 0x0000C3: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"); - case 0x0000C4: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"); - case 0x0000C5: return("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"); - case 0x0000FF: return("TLS_EMPTY_RENEGOTIATION_INFO_SCSV"); - case 0x00c001: return("TLS_ECDH_ECDSA_WITH_NULL_SHA"); - case 0x00c002: return("TLS_ECDH_ECDSA_WITH_RC4_128_SHA"); - case 0x00c003: return("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00c004: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"); - case 0x00c005: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); - case 0x00c006: return("TLS_ECDHE_ECDSA_WITH_NULL_SHA"); - case 0x00c007: return("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"); - case 0x00c008: return("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00c009: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"); - case 0x00c00a: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"); - case 0x00c00b: return("TLS_ECDH_RSA_WITH_NULL_SHA"); - case 0x00c00c: return("TLS_ECDH_RSA_WITH_RC4_128_SHA"); - case 0x00c00d: return("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00c00e: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"); - case 0x00c00f: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"); - case 0x00c010: return("TLS_ECDHE_RSA_WITH_NULL_SHA"); - case 0x00c011: return("TLS_ECDHE_RSA_WITH_RC4_128_SHA"); - case 0x00c012: return("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00c013: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); - case 0x00c014: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"); - case 0x00c015: return("TLS_ECDH_anon_WITH_NULL_SHA"); - case 0x00c016: return("TLS_ECDH_anon_WITH_RC4_128_SHA"); - case 0x00c017: return("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"); - case 0x00c018: return("TLS_ECDH_anon_WITH_AES_128_CBC_SHA"); - case 0x00c019: return("TLS_ECDH_anon_WITH_AES_256_CBC_SHA"); - case 0x00C01A: return("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"); - case 0x00C01B: return("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"); - case 0x00C01C: return("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"); - case 0x00C01D: return("TLS_SRP_SHA_WITH_AES_128_CBC_SHA"); - case 0x00C01E: return("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"); - case 0x00C01F: return("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"); - case 0x00C020: return("TLS_SRP_SHA_WITH_AES_256_CBC_SHA"); - case 0x00C021: return("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"); - case 0x00C022: return("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"); - case 0x00C023: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"); - case 0x00C024: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"); - case 0x00C025: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"); - case 0x00C026: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"); - case 0x00C027: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"); - case 0x00C028: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); - case 0x00C029: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"); - case 0x00C02A: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"); - case 0x00C02B: return("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); - case 0x00C02C: return("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); - case 0x00C02D: return("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"); - case 0x00C02E: return("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"); - case 0x00C02F: return("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); - case 0x00C030: return("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); - case 0x00C031: return("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"); - case 0x00C032: return("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"); - case 0x00C033: return("TLS_ECDHE_PSK_WITH_RC4_128_SHA"); - case 0x00C034: return("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"); - case 0x00C035: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"); - case 0x00C036: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"); - case 0x00C037: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"); - case 0x00C038: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"); - case 0x00C039: return("TLS_ECDHE_PSK_WITH_NULL_SHA"); - case 0x00C03A: return("TLS_ECDHE_PSK_WITH_NULL_SHA256"); - case 0x00C03B: return("TLS_ECDHE_PSK_WITH_NULL_SHA384"); - case 0x00CC13: return("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CC14: return("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CC15: return("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCA8: return("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCA9: return("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCAA: return("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCAB: return("TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCAC: return("TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCAD: return("TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00CCAE: return("TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"); - case 0x00E410: return("TLS_RSA_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E411: return("TLS_RSA_WITH_SALSA20_SHA1"); - case 0x00E412: return("TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E413: return("TLS_ECDHE_RSA_WITH_SALSA20_SHA1"); - case 0x00E414: return("TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E415: return("TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1"); - case 0x00E416: return("TLS_PSK_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E417: return("TLS_PSK_WITH_SALSA20_SHA1"); - case 0x00E418: return("TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E419: return("TLS_ECDHE_PSK_WITH_SALSA20_SHA1"); - case 0x00E41A: return("TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E41B: return("TLS_RSA_PSK_WITH_SALSA20_SHA1"); - case 0x00E41C: return("TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E41D: return("TLS_DHE_PSK_WITH_SALSA20_SHA1"); - case 0x00E41E: return("TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1"); - case 0x00E41F: return("TLS_DHE_RSA_WITH_SALSA20_SHA1"); - case 0x00fefe: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA"); - case 0x00feff: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); - case 0x00ffe0: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); - case 0x00ffe1: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA"); - case 0x010080: return("SSL2_RC4_128_WITH_MD5"); - case 0x020080: return("SSL2_RC4_128_EXPORT40_WITH_MD5"); - case 0x030080: return("SSL2_RC2_128_CBC_WITH_MD5"); - case 0x040080: return("SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"); - case 0x050080: return("SSL2_IDEA_128_CBC_WITH_MD5"); - case 0x060040: return("SSL2_DES_64_CBC_WITH_MD5"); - case 0x0700c0: return("SSL2_DES_192_EDE3_CBC_WITH_MD5"); - case 0x080080: return("SSL2_RC4_64_WITH_MD5"); - default: return("???"); - } -} - -/* ***************************************************** */ - /** * @brief free wrapper function */ diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index afe22c329..206007a66 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -58,7 +58,7 @@ extern "C" { * else 0 * */ - int check_punycode_string(char *buff, int len); + int ndpi_check_punycode_string(char *buff, int len); /** @@ -807,7 +807,8 @@ extern "C" { u_int16_t src_port, u_int16_t dst_port, u_int8_t icmp_type, u_int8_t icmp_code, u_char *hash_buf, u_int8_t hash_buf_len); - u_int8_t ndpi_is_safe_ssl_cipher(u_int16_t cipher); + u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher); + const char* ndpi_cipher2str(u_int32_t cipher); #ifdef __cplusplus } #endif diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 65934502d..aa2bbcc31 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -17,7 +17,7 @@ CC = @CC@ CFLAGS += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -O2 -g RANLIB = ranlib -OBJECTS = $(patsubst protocols/%.c, protocols/%.o, $(wildcard protocols/*.c)) $(patsubst third_party/src/%.c, third_party/src/%.o, $(wildcard third_party/src/*.c)) ndpi_main.o +OBJECTS = $(patsubst protocols/%.c, protocols/%.o, $(wildcard protocols/*.c)) $(patsubst third_party/src/%.c, third_party/src/%.o, $(wildcard third_party/src/*.c)) ndpi_main.o ndpi_utils.o HEADERS = $(wildcard ../include/*.h) NDPI_VERSION_MAJOR = @NDPI_MAJOR@ NDPI_LIB_STATIC = libndpi.a diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4bc89fb6e..85fed4d0c 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -55,180 +55,6 @@ static int _ndpi_debug_callbacks = 0; // #define MATCH_DEBUG 1 -/* implementation of the punycode check function */ -int check_punycode_string(char * buffer , int len) -{ - int i = 0; - - while(i++ < len) - { - if( buffer[i] == 'x' && - buffer[i+1] == 'n' && - buffer[i+2] == '-' && - buffer[i+3] == '-' ) - // is a punycode string - return 1; - } - // not a punycode string - return 0; -} - -/* ftp://ftp.cc.uoc.gr/mirrors/OpenBSD/src/lib/libc/stdlib/tsearch.c */ -/* find or insert datum into search tree */ -void * ndpi_tsearch(const void *vkey, void **vrootp, - int (*compar)(const void *, const void *)) -{ - ndpi_node *q; - char *key = (char *)vkey; - ndpi_node **rootp = (ndpi_node **)vrootp; - - if(rootp == (ndpi_node **)0) - return ((void *)0); - while (*rootp != (ndpi_node *)0) { /* Knuth's T1: */ - int r; - - if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */ - return ((void *)*rootp); /* we found it! */ - rootp = (r < 0) ? - &(*rootp)->left : /* T3: follow left branch */ - &(*rootp)->right; /* T4: follow right branch */ - } - q = (ndpi_node *) ndpi_malloc(sizeof(ndpi_node)); /* T5: key not found */ - if(q != (ndpi_node *)0) { /* make new node */ - *rootp = q; /* link new node to old */ - q->key = key; /* initialize new node */ - q->left = q->right = (ndpi_node *)0; - } - return ((void *)q); -} - -/* delete node with given key */ -void * ndpi_tdelete(const void *vkey, void **vrootp, - int (*compar)(const void *, const void *)) -{ - ndpi_node **rootp = (ndpi_node **)vrootp; - char *key = (char *)vkey; - ndpi_node *p = (ndpi_node *)1; - ndpi_node *q; - ndpi_node *r; - int cmp; - - if(rootp == (ndpi_node **)0 || *rootp == (ndpi_node *)0) - return ((ndpi_node *)0); - while ((cmp = (*compar)(key, (*rootp)->key)) != 0) { - p = *rootp; - rootp = (cmp < 0) ? - &(*rootp)->left : /* follow left branch */ - &(*rootp)->right; /* follow right branch */ - if(*rootp == (ndpi_node *)0) - return ((void *)0); /* key not found */ - } - r = (*rootp)->right; /* D1: */ - if((q = (*rootp)->left) == (ndpi_node *)0) /* Left (ndpi_node *)0? */ - q = r; - else if(r != (ndpi_node *)0) { /* Right link is null? */ - if(r->left == (ndpi_node *)0) { /* D2: Find successor */ - r->left = q; - q = r; - } else { /* D3: Find (ndpi_node *)0 link */ - for(q = r->left; q->left != (ndpi_node *)0; q = r->left) - r = q; - r->left = q->right; - q->left = (*rootp)->left; - q->right = (*rootp)->right; - } - } - ndpi_free((ndpi_node *) *rootp); /* D4: Free node */ - *rootp = q; /* link parent to new node */ - return(p); -} - -/* Walk the nodes of a tree */ -static void ndpi_trecurse(ndpi_node *root, void (*action)(const void *, ndpi_VISIT, int, void*), int level, void *user_data) -{ - if(root->left == (ndpi_node *)0 && root->right == (ndpi_node *)0) - (*action)(root, ndpi_leaf, level, user_data); - else { - (*action)(root, ndpi_preorder, level, user_data); - if(root->left != (ndpi_node *)0) - ndpi_trecurse(root->left, action, level + 1, user_data); - (*action)(root, ndpi_postorder, level, user_data); - if(root->right != (ndpi_node *)0) - ndpi_trecurse(root->right, action, level + 1, user_data); - (*action)(root, ndpi_endorder, level, user_data); - } -} - -/* Walk the nodes of a tree */ -void ndpi_twalk(const void *vroot, void (*action)(const void *, ndpi_VISIT, int, void *), void *user_data) -{ - ndpi_node *root = (ndpi_node *)vroot; - - if(root != (ndpi_node *)0 && action != (void (*)(const void *, ndpi_VISIT, int, void*))0) - ndpi_trecurse(root, action, 0, user_data); -} - -/* find a node, or return 0 */ -void * ndpi_tfind(const void *vkey, void *vrootp, - int (*compar)(const void *, const void *)) -{ - char *key = (char *)vkey; - ndpi_node **rootp = (ndpi_node **)vrootp; - - if(rootp == (ndpi_node **)0) - return ((ndpi_node *)0); - while (*rootp != (ndpi_node *)0) { /* T1: */ - int r; - if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */ - return (*rootp); /* key found */ - rootp = (r < 0) ? - &(*rootp)->left : /* T3: follow left branch */ - &(*rootp)->right; /* T4: follow right branch */ - } - return (ndpi_node *)0; -} - -/* ****************************************** */ - -/* Walk the nodes of a tree */ -static void ndpi_tdestroy_recurse(ndpi_node* root, void (*free_action)(void *)) -{ - if(root->left != NULL) - ndpi_tdestroy_recurse(root->left, free_action); - if(root->right != NULL) - ndpi_tdestroy_recurse(root->right, free_action); - - (*free_action) ((void *) root->key); - ndpi_free(root); -} - -void ndpi_tdestroy(void *vrootp, void (*freefct)(void *)) -{ - ndpi_node *root = (ndpi_node *) vrootp; - - if(root != NULL) - ndpi_tdestroy_recurse(root, freefct); -} - -/* ****************************************** */ - -u_int8_t ndpi_net_match(u_int32_t ip_to_check, - u_int32_t net, - u_int32_t num_bits) -{ - u_int32_t mask = 0; - - mask = ~(~mask >> num_bits); - - return(((ip_to_check & mask) == (net & mask)) ? 1 : 0); -} - -u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, - u_int32_t net, u_int32_t num_bits) -{ - return(ndpi_net_match(src, net, num_bits) || ndpi_net_match(dst, net, num_bits)); -} - /* ****************************************** */ static void *(*_ndpi_flow_malloc)(size_t size); @@ -239,197 +65,6 @@ static void (*_ndpi_free)(void *ptr); /* ****************************************** */ -#ifdef WIN32 -/* http://opensource.apple.com/source/Libc/Libc-186/string.subproj/strcasecmp.c */ - -/* - * This array is designed for mapping upper and lower case letter - * together for a case independent comparison. The mappings are - * based upon ascii character sequences. - */ -static const u_char charmap[] = { - '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007', - '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017', - '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027', - '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037', - '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047', - '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057', - '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067', - '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077', - '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137', - '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177', - '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207', - '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217', - '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227', - '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237', - '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247', - '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257', - '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267', - '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277', - '\300', '\301', '\302', '\303', '\304', '\305', '\306', '\307', - '\310', '\311', '\312', '\313', '\314', '\315', '\316', '\317', - '\320', '\321', '\322', '\323', '\324', '\325', '\326', '\327', - '\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337', - '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347', - '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', - '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', - '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377', -}; - -int strcasecmp(s1, s2) - const char *s1, *s2; -{ - register const u_char *cm = charmap, - *us1 = (const u_char *)s1, - *us2 = (const u_char *)s2; - - while (cm[*us1] == cm[*us2++]) - if(*us1++ == '\0') - return (0); - return (cm[*us1] - cm[*--us2]); -} - -int strncasecmp(s1, s2, n) - const char *s1, *s2; - register size_t n; -{ - if(n != 0) { - register const u_char *cm = charmap, - *us1 = (const u_char *)s1, - *us2 = (const u_char *)s2; - - do { - if(cm[*us1] != cm[*us2++]) - return (cm[*us1] - cm[*--us2]); - if(*us1++ == '\0') - break; - } while (--n != 0); - } - return (0); -} - -#endif - -/* ****************************************** */ - -/* Keep it in order and in sync with ndpi_protocol_category_t in ndpi_typedefs.h */ -static const char* categories[] = { - "Unspecified", - "Media", - "VPN", - "Email", - "DataTransfer", - "Web", - "SocialNetwork", - "Download-FileTransfer-FileSharing", - "Game", - "Chat", - "VoIP", - "Database", - "RemoteAccess", - "Cloud", - "Network", - "Collaborative", - "RPC", - "Streaming", - "System", - "SoftwareUpdate", - "", - "", - "", - "", - "", - "Music", - "Video", - "Shopping", - "Productivity", - "FileSharing", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "Mining", /* 99 */ - "Malware", - "Advertisement", - "Banned_Site", - "Site_Unavailable", - "Allowed_Site", - "Antimalware", -}; - -/* ****************************************** */ - /* Forward */ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod, ndpi_port_range *range, @@ -2290,6 +1925,118 @@ void set_ndpi_debug_function(struct ndpi_detection_module_struct *ndpi_str, ndpi #endif } +/* ****************************************** */ + +/* Keep it in order and in sync with ndpi_protocol_category_t in ndpi_typedefs.h */ +static const char* categories[] = { + "Unspecified", + "Media", + "VPN", + "Email", + "DataTransfer", + "Web", + "SocialNetwork", + "Download-FileTransfer-FileSharing", + "Game", + "Chat", + "VoIP", + "Database", + "RemoteAccess", + "Cloud", + "Network", + "Collaborative", + "RPC", + "Streaming", + "System", + "SoftwareUpdate", + "", + "", + "", + "", + "", + "Music", + "Video", + "Shopping", + "Productivity", + "FileSharing", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "Mining", /* 99 */ + "Malware", + "Advertisement", + "Banned_Site", + "Site_Unavailable", + "Allowed_Site", + "Antimalware", +}; + /* ******************************************************************** */ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { @@ -6408,51 +6155,3 @@ int ndpi_flowv6_flow_hash(u_int8_t l4_proto, struct ndpi_in6_addr *src_ip, struc /* **************************************** */ -/* **************************************** */ - -struct cipher_weakness { - u_int16_t cipher_id; - ndpi_cipher_weakness weakness_type; -}; - -static struct cipher_weakness safe_ssl_ciphers[] = { - /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */ - /* INSECURE */ - { 0xc011, NDPI_CIPHER_INSECURE }, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */ - { 0x0005, NDPI_CIPHER_INSECURE }, /* TLS_RSA_WITH_RC4_128_SHA */ - { 0x0004, NDPI_CIPHER_INSECURE }, /* TLS_RSA_WITH_RC4_128_MD5 */ - /* WEAK */ - { 0x009d, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */ - { 0x003d, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */ - { 0x0035, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_CBC_SHA */ - { 0x0084, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */ - { 0x009c, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */ - { 0x003c, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */ - { 0x002f, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_CBC_SHA */ - { 0x0041, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */ - { 0xc012, NDPI_CIPHER_WEAK }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */ - { 0x0016, NDPI_CIPHER_WEAK }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ - { 0x000a, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */ - { 0x0096, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_SEED_CBC_SHA */ - { 0x0007, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_IDEA_CBC_SHA */ - - { 0x0, NDPI_CIPHER_SAFE } /* END */ -}; - -u_int8_t ndpi_is_safe_ssl_cipher(u_int16_t cipher) { - u_int i; - - for(i=0; safe_ssl_ciphers[i].cipher_id != 0; i++) { - if(safe_ssl_ciphers[i].cipher_id == cipher) { -#ifdef CERTIFICATE_DEBUG - printf("%s %s(%04X / %u)\n", - (safe_ssl_ciphers[i].weakness_type == NDPI_CIPHER_WEAK) ? "WEAK" : "INSECURE", - __FUNCTION__, cipher, cipher); -#endif - - return(safe_ssl_ciphers[i].weakness_type); - } - } - - return(NDPI_CIPHER_SAFE); /* We're safe */ -} diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c new file mode 100644 index 000000000..610fe06c9 --- /dev/null +++ b/src/lib/ndpi_utils.c @@ -0,0 +1,620 @@ +/* + * ndpi_utils.cc + * + * Copyright (C) 2011-19 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#ifdef HAVE_CONFIG_H +#include "ndpi_config.h" +#endif + +#include <stdlib.h> +#include <errno.h> +#include <sys/types.h> +#include "ahocorasick.h" +#include "libcache.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNKNOWN + +#include "ndpi_api.h" +#include "ndpi_config.h" + +#include <time.h> +#ifndef WIN32 +#include <unistd.h> +#endif + +#if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__ +#include <sys/endian.h> +#endif + +#include "third_party/include/ndpi_patricia.h" +#include "third_party/include/ht_hash.h" + +#define NDPI_CONST_GENERIC_PROTOCOL_NAME "GenericProtocol" + +static int _ndpi_debug_callbacks = 0; + +// #define MATCH_DEBUG 1 + +/* implementation of the punycode check function */ +int ndpi_check_punycode_string(char * buffer , int len) { + int i = 0; + + while(i++ < len) { + if((buffer[i] == 'x') + && (buffer[i+1] == 'n') + && (buffer[i+2] == '-') + && (buffer[i+3] == '-')) + // is a punycode string + return(1); + } + + // not a punycode string + return 0; +} + +/* ftp://ftp.cc.uoc.gr/mirrors/OpenBSD/src/lib/libc/stdlib/tsearch.c */ +/* find or insert datum into search tree */ +void * ndpi_tsearch(const void *vkey, void **vrootp, + int (*compar)(const void *, const void *)) +{ + ndpi_node *q; + char *key = (char *)vkey; + ndpi_node **rootp = (ndpi_node **)vrootp; + + if(rootp == (ndpi_node **)0) + return ((void *)0); + while (*rootp != (ndpi_node *)0) { /* Knuth's T1: */ + int r; + + if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */ + return ((void *)*rootp); /* we found it! */ + rootp = (r < 0) ? + &(*rootp)->left : /* T3: follow left branch */ + &(*rootp)->right; /* T4: follow right branch */ + } + q = (ndpi_node *) ndpi_malloc(sizeof(ndpi_node)); /* T5: key not found */ + if(q != (ndpi_node *)0) { /* make new node */ + *rootp = q; /* link new node to old */ + q->key = key; /* initialize new node */ + q->left = q->right = (ndpi_node *)0; + } + return ((void *)q); +} + +/* delete node with given key */ +void * ndpi_tdelete(const void *vkey, void **vrootp, + int (*compar)(const void *, const void *)) +{ + ndpi_node **rootp = (ndpi_node **)vrootp; + char *key = (char *)vkey; + ndpi_node *p = (ndpi_node *)1; + ndpi_node *q; + ndpi_node *r; + int cmp; + + if(rootp == (ndpi_node **)0 || *rootp == (ndpi_node *)0) + return ((ndpi_node *)0); + while ((cmp = (*compar)(key, (*rootp)->key)) != 0) { + p = *rootp; + rootp = (cmp < 0) ? + &(*rootp)->left : /* follow left branch */ + &(*rootp)->right; /* follow right branch */ + if(*rootp == (ndpi_node *)0) + return ((void *)0); /* key not found */ + } + r = (*rootp)->right; /* D1: */ + if((q = (*rootp)->left) == (ndpi_node *)0) /* Left (ndpi_node *)0? */ + q = r; + else if(r != (ndpi_node *)0) { /* Right link is null? */ + if(r->left == (ndpi_node *)0) { /* D2: Find successor */ + r->left = q; + q = r; + } else { /* D3: Find (ndpi_node *)0 link */ + for(q = r->left; q->left != (ndpi_node *)0; q = r->left) + r = q; + r->left = q->right; + q->left = (*rootp)->left; + q->right = (*rootp)->right; + } + } + ndpi_free((ndpi_node *) *rootp); /* D4: Free node */ + *rootp = q; /* link parent to new node */ + return(p); +} + +/* Walk the nodes of a tree */ +static void ndpi_trecurse(ndpi_node *root, void (*action)(const void *, ndpi_VISIT, int, void*), int level, void *user_data) +{ + if(root->left == (ndpi_node *)0 && root->right == (ndpi_node *)0) + (*action)(root, ndpi_leaf, level, user_data); + else { + (*action)(root, ndpi_preorder, level, user_data); + if(root->left != (ndpi_node *)0) + ndpi_trecurse(root->left, action, level + 1, user_data); + (*action)(root, ndpi_postorder, level, user_data); + if(root->right != (ndpi_node *)0) + ndpi_trecurse(root->right, action, level + 1, user_data); + (*action)(root, ndpi_endorder, level, user_data); + } +} + +/* Walk the nodes of a tree */ +void ndpi_twalk(const void *vroot, void (*action)(const void *, ndpi_VISIT, int, void *), void *user_data) +{ + ndpi_node *root = (ndpi_node *)vroot; + + if(root != (ndpi_node *)0 && action != (void (*)(const void *, ndpi_VISIT, int, void*))0) + ndpi_trecurse(root, action, 0, user_data); +} + +/* find a node, or return 0 */ +void * ndpi_tfind(const void *vkey, void *vrootp, + int (*compar)(const void *, const void *)) +{ + char *key = (char *)vkey; + ndpi_node **rootp = (ndpi_node **)vrootp; + + if(rootp == (ndpi_node **)0) + return ((ndpi_node *)0); + while (*rootp != (ndpi_node *)0) { /* T1: */ + int r; + if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */ + return (*rootp); /* key found */ + rootp = (r < 0) ? + &(*rootp)->left : /* T3: follow left branch */ + &(*rootp)->right; /* T4: follow right branch */ + } + return (ndpi_node *)0; +} + +/* ****************************************** */ + +/* Walk the nodes of a tree */ +static void ndpi_tdestroy_recurse(ndpi_node* root, void (*free_action)(void *)) +{ + if(root->left != NULL) + ndpi_tdestroy_recurse(root->left, free_action); + if(root->right != NULL) + ndpi_tdestroy_recurse(root->right, free_action); + + (*free_action) ((void *) root->key); + ndpi_free(root); +} + +void ndpi_tdestroy(void *vrootp, void (*freefct)(void *)) +{ + ndpi_node *root = (ndpi_node *) vrootp; + + if(root != NULL) + ndpi_tdestroy_recurse(root, freefct); +} + +/* ****************************************** */ + +u_int8_t ndpi_net_match(u_int32_t ip_to_check, + u_int32_t net, + u_int32_t num_bits) +{ + u_int32_t mask = 0; + + mask = ~(~mask >> num_bits); + + return(((ip_to_check & mask) == (net & mask)) ? 1 : 0); +} + +u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, + u_int32_t net, u_int32_t num_bits) +{ + return(ndpi_net_match(src, net, num_bits) || ndpi_net_match(dst, net, num_bits)); +} + +/* ****************************************** */ + +#ifdef WIN32 +/* http://opensource.apple.com/source/Libc/Libc-186/string.subproj/strcasecmp.c */ + +/* + * This array is designed for mapping upper and lower case letter + * together for a case independent comparison. The mappings are + * based upon ascii character sequences. + */ +static const u_char charmap[] = { + '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007', + '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017', + '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027', + '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037', + '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047', + '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057', + '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067', + '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077', + '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147', + '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', + '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', + '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137', + '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147', + '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', + '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', + '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177', + '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207', + '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217', + '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227', + '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237', + '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247', + '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257', + '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267', + '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277', + '\300', '\301', '\302', '\303', '\304', '\305', '\306', '\307', + '\310', '\311', '\312', '\313', '\314', '\315', '\316', '\317', + '\320', '\321', '\322', '\323', '\324', '\325', '\326', '\327', + '\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337', + '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347', + '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', + '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', + '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377', +}; + +int strcasecmp(const char *s1, const char *s2) { + register const u_char *cm = charmap, + *us1 = (const u_char *)s1, + *us2 = (const u_char *)s2; + + while (cm[*us1] == cm[*us2++]) + if(*us1++ == '\0') + return (0); + return (cm[*us1] - cm[*--us2]); +} + +/* ****************************************** */ + +int strncasecmp(const char *s1, const char *s2, size_t n) { + if(n != 0) { + register const u_char *cm = charmap, + *us1 = (const u_char *)s1, + *us2 = (const u_char *)s2; + + do { + if(cm[*us1] != cm[*us2++]) + return (cm[*us1] - cm[*--us2]); + if(*us1++ == '\0') + break; + } while (--n != 0); + } + return (0); +} + +#endif + +/* **************************************** */ + +struct cipher_weakness { + u_int16_t cipher_id; + ndpi_cipher_weakness weakness_type; +}; + +static struct cipher_weakness safe_ssl_ciphers[] = { + /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */ + /* INSECURE */ + { 0xc011, NDPI_CIPHER_INSECURE }, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */ + { 0x0005, NDPI_CIPHER_INSECURE }, /* TLS_RSA_WITH_RC4_128_SHA */ + { 0x0004, NDPI_CIPHER_INSECURE }, /* TLS_RSA_WITH_RC4_128_MD5 */ + /* WEAK */ + { 0x009d, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */ + { 0x003d, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */ + { 0x0035, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_256_CBC_SHA */ + { 0x0084, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */ + { 0x009c, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */ + { 0x003c, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */ + { 0x002f, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_AES_128_CBC_SHA */ + { 0x0041, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */ + { 0xc012, NDPI_CIPHER_WEAK }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */ + { 0x0016, NDPI_CIPHER_WEAK }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ + { 0x000a, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */ + { 0x0096, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_SEED_CBC_SHA */ + { 0x0007, NDPI_CIPHER_WEAK }, /* TLS_RSA_WITH_IDEA_CBC_SHA */ + + { 0x0, NDPI_CIPHER_SAFE } /* END */ +}; + +/* ***************************************************** */ + +u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher) { + u_int i; + + for(i=0; safe_ssl_ciphers[i].cipher_id != 0; i++) { + if(safe_ssl_ciphers[i].cipher_id == cipher) { +#ifdef CERTIFICATE_DEBUG + printf("%s %s(%04X / %u)\n", + (safe_ssl_ciphers[i].weakness_type == NDPI_CIPHER_WEAK) ? "WEAK" : "INSECURE", + __FUNCTION__, cipher, cipher); +#endif + + return(safe_ssl_ciphers[i].weakness_type); + } + } + + return(NDPI_CIPHER_SAFE); /* We're safe */ +} + +/* ***************************************************** */ + +const char* ndpi_cipher2str(u_int32_t cipher) { + switch(cipher) { + case 0x000000: return("TLS_NULL_WITH_NULL_NULL"); + case 0x000001: return("TLS_RSA_WITH_NULL_MD5"); + case 0x000002: return("TLS_RSA_WITH_NULL_SHA"); + case 0x000003: return("TLS_RSA_EXPORT_WITH_RC4_40_MD5"); + case 0x000004: return("TLS_RSA_WITH_RC4_128_MD5"); + case 0x000005: return("TLS_RSA_WITH_RC4_128_SHA"); + case 0x000006: return("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"); + case 0x000007: return("TLS_RSA_WITH_IDEA_CBC_SHA"); + case 0x000008: return("TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"); + case 0x000009: return("TLS_RSA_WITH_DES_CBC_SHA"); + case 0x00000a: return("TLS_RSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00000b: return("TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"); + case 0x00000c: return("TLS_DH_DSS_WITH_DES_CBC_SHA"); + case 0x00000d: return("TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"); + case 0x00000e: return("TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"); + case 0x00000f: return("TLS_DH_RSA_WITH_DES_CBC_SHA"); + case 0x000010: return("TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"); + case 0x000011: return("TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); + case 0x000012: return("TLS_DHE_DSS_WITH_DES_CBC_SHA"); + case 0x000013: return("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"); + case 0x000014: return("TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"); + case 0x000015: return("TLS_DHE_RSA_WITH_DES_CBC_SHA"); + case 0x000016: return("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"); + case 0x000017: return("TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"); + case 0x000018: return("TLS_DH_anon_WITH_RC4_128_MD5"); + case 0x000019: return("TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"); + case 0x00001a: return("TLS_DH_anon_WITH_DES_CBC_SHA"); + case 0x00001b: return("TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"); + case 0x00001c: return("SSL_FORTEZZA_KEA_WITH_NULL_SHA"); + case 0x00001d: return("SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"); + /* case 0x00001e: return("SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"); */ + case 0x00001E: return("TLS_KRB5_WITH_DES_CBC_SHA"); + case 0x00001F: return("TLS_KRB5_WITH_3DES_EDE_CBC_SHA"); + case 0x000020: return("TLS_KRB5_WITH_RC4_128_SHA"); + case 0x000021: return("TLS_KRB5_WITH_IDEA_CBC_SHA"); + case 0x000022: return("TLS_KRB5_WITH_DES_CBC_MD5"); + case 0x000023: return("TLS_KRB5_WITH_3DES_EDE_CBC_MD5"); + case 0x000024: return("TLS_KRB5_WITH_RC4_128_MD5"); + case 0x000025: return("TLS_KRB5_WITH_IDEA_CBC_MD5"); + case 0x000026: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"); + case 0x000027: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"); + case 0x000028: return("TLS_KRB5_EXPORT_WITH_RC4_40_SHA"); + case 0x000029: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"); + case 0x00002A: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"); + case 0x00002B: return("TLS_KRB5_EXPORT_WITH_RC4_40_MD5"); + case 0x00002C: return("TLS_PSK_WITH_NULL_SHA"); + case 0x00002D: return("TLS_DHE_PSK_WITH_NULL_SHA"); + case 0x00002E: return("TLS_RSA_PSK_WITH_NULL_SHA"); + case 0x00002f: return("TLS_RSA_WITH_AES_128_CBC_SHA"); + case 0x000030: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA"); + case 0x000031: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA"); + case 0x000032: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); + case 0x000033: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA"); + case 0x000034: return("TLS_DH_anon_WITH_AES_128_CBC_SHA"); + case 0x000035: return("TLS_RSA_WITH_AES_256_CBC_SHA"); + case 0x000036: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA"); + case 0x000037: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA"); + case 0x000038: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA"); + case 0x000039: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA"); + case 0x00003A: return("TLS_DH_anon_WITH_AES_256_CBC_SHA"); + case 0x00003B: return("TLS_RSA_WITH_NULL_SHA256"); + case 0x00003C: return("TLS_RSA_WITH_AES_128_CBC_SHA256"); + case 0x00003D: return("TLS_RSA_WITH_AES_256_CBC_SHA256"); + case 0x00003E: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA256"); + case 0x00003F: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA256"); + case 0x000040: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"); + case 0x000041: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"); + case 0x000042: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"); + case 0x000043: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"); + case 0x000044: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"); + case 0x000045: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"); + case 0x000046: return("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"); + case 0x000047: return("TLS_ECDH_ECDSA_WITH_NULL_SHA"); + case 0x000048: return("TLS_ECDH_ECDSA_WITH_RC4_128_SHA"); + case 0x000049: return("TLS_ECDH_ECDSA_WITH_DES_CBC_SHA"); + case 0x00004A: return("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00004B: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"); + case 0x00004C: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); + case 0x000060: return("TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"); + case 0x000061: return("TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"); + case 0x000062: return("TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"); + case 0x000063: return("TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"); + case 0x000064: return("TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"); + case 0x000065: return("TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"); + case 0x000066: return("TLS_DHE_DSS_WITH_RC4_128_SHA"); + case 0x000067: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"); + case 0x000068: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA256"); + case 0x000069: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA256"); + case 0x00006A: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"); + case 0x00006B: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"); + case 0x00006C: return("TLS_DH_anon_WITH_AES_128_CBC_SHA256"); + case 0x00006D: return("TLS_DH_anon_WITH_AES_256_CBC_SHA256"); + case 0x000084: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"); + case 0x000085: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"); + case 0x000086: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"); + case 0x000087: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"); + case 0x000088: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"); + case 0x000089: return("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"); + case 0x00008A: return("TLS_PSK_WITH_RC4_128_SHA"); + case 0x00008B: return("TLS_PSK_WITH_3DES_EDE_CBC_SHA"); + case 0x00008C: return("TLS_PSK_WITH_AES_128_CBC_SHA"); + case 0x00008D: return("TLS_PSK_WITH_AES_256_CBC_SHA"); + case 0x00008E: return("TLS_DHE_PSK_WITH_RC4_128_SHA"); + case 0x00008F: return("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"); + case 0x000090: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA"); + case 0x000091: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA"); + case 0x000092: return("TLS_RSA_PSK_WITH_RC4_128_SHA"); + case 0x000093: return("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"); + case 0x000094: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA"); + case 0x000095: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA"); + case 0x000096: return("TLS_RSA_WITH_SEED_CBC_SHA"); + case 0x000097: return("TLS_DH_DSS_WITH_SEED_CBC_SHA"); + case 0x000098: return("TLS_DH_RSA_WITH_SEED_CBC_SHA"); + case 0x000099: return("TLS_DHE_DSS_WITH_SEED_CBC_SHA"); + case 0x00009A: return("TLS_DHE_RSA_WITH_SEED_CBC_SHA"); + case 0x00009B: return("TLS_DH_anon_WITH_SEED_CBC_SHA"); + case 0x00009C: return("TLS_RSA_WITH_AES_128_GCM_SHA256"); + case 0x00009D: return("TLS_RSA_WITH_AES_256_GCM_SHA384"); + case 0x00009E: return("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"); + case 0x00009F: return("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"); + case 0x0000A0: return("TLS_DH_RSA_WITH_AES_128_GCM_SHA256"); + case 0x0000A1: return("TLS_DH_RSA_WITH_AES_256_GCM_SHA384"); + case 0x0000A2: return("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"); + case 0x0000A3: return("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"); + case 0x0000A4: return("TLS_DH_DSS_WITH_AES_128_GCM_SHA256"); + case 0x0000A5: return("TLS_DH_DSS_WITH_AES_256_GCM_SHA384"); + case 0x0000A6: return("TLS_DH_anon_WITH_AES_128_GCM_SHA256"); + case 0x0000A7: return("TLS_DH_anon_WITH_AES_256_GCM_SHA384"); + case 0x0000A8: return("TLS_PSK_WITH_AES_128_GCM_SHA256"); + case 0x0000A9: return("TLS_PSK_WITH_AES_256_GCM_SHA384"); + case 0x0000AA: return("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"); + case 0x0000AB: return("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"); + case 0x0000AC: return("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"); + case 0x0000AD: return("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"); + case 0x0000AE: return("TLS_PSK_WITH_AES_128_CBC_SHA256"); + case 0x0000AF: return("TLS_PSK_WITH_AES_256_CBC_SHA384"); + case 0x0000B0: return("TLS_PSK_WITH_NULL_SHA256"); + case 0x0000B1: return("TLS_PSK_WITH_NULL_SHA384"); + case 0x0000B2: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"); + case 0x0000B3: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"); + case 0x0000B4: return("TLS_DHE_PSK_WITH_NULL_SHA256"); + case 0x0000B5: return("TLS_DHE_PSK_WITH_NULL_SHA384"); + case 0x0000B6: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"); + case 0x0000B7: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"); + case 0x0000B8: return("TLS_RSA_PSK_WITH_NULL_SHA256"); + case 0x0000B9: return("TLS_RSA_PSK_WITH_NULL_SHA384"); + case 0x0000BA: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"); + case 0x0000BB: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"); + case 0x0000BC: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"); + case 0x0000BD: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"); + case 0x0000BE: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"); + case 0x0000BF: return("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"); + case 0x0000C0: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"); + case 0x0000C1: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"); + case 0x0000C2: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"); + case 0x0000C3: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"); + case 0x0000C4: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"); + case 0x0000C5: return("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"); + case 0x0000FF: return("TLS_EMPTY_RENEGOTIATION_INFO_SCSV"); + case 0x00c001: return("TLS_ECDH_ECDSA_WITH_NULL_SHA"); + case 0x00c002: return("TLS_ECDH_ECDSA_WITH_RC4_128_SHA"); + case 0x00c003: return("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00c004: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"); + case 0x00c005: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); + case 0x00c006: return("TLS_ECDHE_ECDSA_WITH_NULL_SHA"); + case 0x00c007: return("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"); + case 0x00c008: return("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00c009: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"); + case 0x00c00a: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"); + case 0x00c00b: return("TLS_ECDH_RSA_WITH_NULL_SHA"); + case 0x00c00c: return("TLS_ECDH_RSA_WITH_RC4_128_SHA"); + case 0x00c00d: return("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00c00e: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"); + case 0x00c00f: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"); + case 0x00c010: return("TLS_ECDHE_RSA_WITH_NULL_SHA"); + case 0x00c011: return("TLS_ECDHE_RSA_WITH_RC4_128_SHA"); + case 0x00c012: return("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00c013: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); + case 0x00c014: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"); + case 0x00c015: return("TLS_ECDH_anon_WITH_NULL_SHA"); + case 0x00c016: return("TLS_ECDH_anon_WITH_RC4_128_SHA"); + case 0x00c017: return("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"); + case 0x00c018: return("TLS_ECDH_anon_WITH_AES_128_CBC_SHA"); + case 0x00c019: return("TLS_ECDH_anon_WITH_AES_256_CBC_SHA"); + case 0x00C01A: return("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"); + case 0x00C01B: return("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"); + case 0x00C01C: return("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"); + case 0x00C01D: return("TLS_SRP_SHA_WITH_AES_128_CBC_SHA"); + case 0x00C01E: return("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"); + case 0x00C01F: return("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"); + case 0x00C020: return("TLS_SRP_SHA_WITH_AES_256_CBC_SHA"); + case 0x00C021: return("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"); + case 0x00C022: return("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"); + case 0x00C023: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"); + case 0x00C024: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"); + case 0x00C025: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"); + case 0x00C026: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"); + case 0x00C027: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"); + case 0x00C028: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); + case 0x00C029: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"); + case 0x00C02A: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"); + case 0x00C02B: return("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); + case 0x00C02C: return("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); + case 0x00C02D: return("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"); + case 0x00C02E: return("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"); + case 0x00C02F: return("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); + case 0x00C030: return("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); + case 0x00C031: return("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"); + case 0x00C032: return("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"); + case 0x00C033: return("TLS_ECDHE_PSK_WITH_RC4_128_SHA"); + case 0x00C034: return("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"); + case 0x00C035: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"); + case 0x00C036: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"); + case 0x00C037: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"); + case 0x00C038: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"); + case 0x00C039: return("TLS_ECDHE_PSK_WITH_NULL_SHA"); + case 0x00C03A: return("TLS_ECDHE_PSK_WITH_NULL_SHA256"); + case 0x00C03B: return("TLS_ECDHE_PSK_WITH_NULL_SHA384"); + case 0x00CC13: return("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CC14: return("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CC15: return("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCA8: return("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCA9: return("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCAA: return("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCAB: return("TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCAC: return("TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCAD: return("TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00CCAE: return("TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"); + case 0x00E410: return("TLS_RSA_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E411: return("TLS_RSA_WITH_SALSA20_SHA1"); + case 0x00E412: return("TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E413: return("TLS_ECDHE_RSA_WITH_SALSA20_SHA1"); + case 0x00E414: return("TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E415: return("TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1"); + case 0x00E416: return("TLS_PSK_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E417: return("TLS_PSK_WITH_SALSA20_SHA1"); + case 0x00E418: return("TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E419: return("TLS_ECDHE_PSK_WITH_SALSA20_SHA1"); + case 0x00E41A: return("TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E41B: return("TLS_RSA_PSK_WITH_SALSA20_SHA1"); + case 0x00E41C: return("TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E41D: return("TLS_DHE_PSK_WITH_SALSA20_SHA1"); + case 0x00E41E: return("TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1"); + case 0x00E41F: return("TLS_DHE_RSA_WITH_SALSA20_SHA1"); + case 0x00fefe: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA"); + case 0x00feff: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); + case 0x00ffe0: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"); + case 0x00ffe1: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA"); + case 0x010080: return("SSL2_RC4_128_WITH_MD5"); + case 0x020080: return("SSL2_RC4_128_EXPORT40_WITH_MD5"); + case 0x030080: return("SSL2_RC2_128_CBC_WITH_MD5"); + case 0x040080: return("SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"); + case 0x050080: return("SSL2_IDEA_128_CBC_WITH_MD5"); + case 0x060040: return("SSL2_DES_64_CBC_WITH_MD5"); + case 0x0700c0: return("SSL2_DES_192_EDE3_CBC_WITH_MD5"); + case 0x080080: return("SSL2_RC4_64_WITH_MD5"); + default: return("???"); + } +} + diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index eee31e94b..9b3a6c51b 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -317,7 +317,7 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { } /* check for punycode encoding */ - is_puny = check_punycode_string(buffer, buffer_len); + is_puny = ndpi_check_punycode_string(buffer, buffer_len); // not a punycode string - need more checks if(is_puny == 0) { diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 637f29815..387205dc0 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -32,11 +32,11 @@ LLMNR 89 6799 47 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com] 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][cat: Network/14][14 pkts/4788 bytes -> 0 pkts/0 bytes] 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes] - 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] - 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] - 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] + 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] + 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] + 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][TLSv1.2][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi] - 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)] + 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7.137/HTTP.GenericProtocol][cat: Streaming/17][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi] 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes] 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/2450 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index af700dfbb..bc101179a 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -4,7 +4,7 @@ SSL 28 15397 1 ICMPV6 48 7862 3 Facebook 37 14726 3 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][TLSv1.2][JA3C: 812d8bce0f85487ba7834d36568ed586][server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][TLSv1.2][JA3C: 812d8bce0f85487ba7834d36568ed586][server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][TLSv1][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3] 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes] 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 55d11abdb..a9d6d1737 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -11,13 +11,13 @@ KakaoTalk 55 9990 15 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][TLSv1][JA3C: 051d20e8adbe8dac78945de300764d5e] 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][TLSv1][JA3C: 051d20e8adbe8dac78945de300764d5e] 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][TLSv1][JA3C: 051d20e8adbe8dac78945de300764d5e] - 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2] - 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2] - 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2] - 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)] + 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes] 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes] - 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/SSL.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][TLSv1][server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)] + 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/SSL.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][TLSv1][server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][TLS_RSA_WITH_RC4_128_MD5] 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com] 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com] 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index a9f781f39..f9b99091d 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -12,7 +12,7 @@ KakaoTalk_Voice 44 6196 2 1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes] 2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes] 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 163/Tor][cat: VPN/2][22 pkts/5326 bytes <-> 18 pkts/5212 bytes] - 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/SSL][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][server: Kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)] + 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/SSL][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][server: Kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 64.119/SSL_No_Cert.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out index 56644e4e1..e62f6879b 100644 --- a/tests/result/dnscrypt.pcap.out +++ b/tests/result/dnscrypt.pcap.out @@ -1,6 +1,6 @@ SSL 111 44676 4 - 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][TLSv1.2][JA3C: b8f81673c0e1d29908346f3bab892b9b][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] - 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] - 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] - 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9] + 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][TLSv1.2][JA3C: b8f81673c0e1d29908346f3bab892b9b][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/SSL][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][TLSv1.2][JA3C: 83e04bc58d402f9633983cbf22724b02][server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index d258599e3..969dbf587 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -1,3 +1,3 @@ Google 28 9108 1 - 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/SSL.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][TLSv1][server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)] + 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/SSL.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][TLSv1][server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)][TLS_RSA_WITH_RC4_128_SHA] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index 7d5c04255..803cd7f7b 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -15,7 +15,7 @@ Spotify 5 430 1 MS_OneDrive 387 198090 1 ApplePush 12 1877 1 - 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe] + 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes] 3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes] 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/SSL.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 696fd3687..24ccc2309 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -13,7 +13,7 @@ Apple 76 19581 1 MS_OneDrive 348 181687 1 ApplePush 8 1118 1 - 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][cat: Cloud/13][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][TLSv1][server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes] 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 64.140/SSL_No_Cert.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes] 4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out index 2241d4f71..10f6d2e18 100644 --- a/tests/result/viber.pcap.out +++ b/tests/result/viber.pcap.out @@ -10,12 +10,12 @@ Amazon 71 24849 3 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/SSL.Viber][cat: VoIP/10][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][TLSv1][JA3C: d8c87b9bfde38897979e41242626c2f3] 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/SSL.Viber][cat: VoIP/10][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][TLSv1][JA3C: d8c87b9bfde38897979e41242626c2f3] - 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/SSL.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039] + 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/SSL.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: VoIP/10][32 pkts/6563 bytes <-> 26 pkts/2782 bytes] - 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][TLSv1.2][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164] - 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039] - 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/SSL][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: y.ssl.fastly.net][JA3S: 860fcf58fd757e26aa8911e5eaff6b53] - 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039] + 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][TLSv1.2][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/SSL][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: y.ssl.fastly.net][JA3S: 860fcf58fd757e26aa8911e5eaff6b53][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/SSL.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 9 UDP 192.168.0.17:47171 <-> 18.201.4.32:7985 [proto: 144/Viber][cat: VoIP/10][24 pkts/5035 bytes <-> 22 pkts/2302 bytes] 10 UDP 192.168.0.17:38190 <-> 18.201.4.3:7985 [proto: 144/Viber][cat: VoIP/10][25 pkts/4344 bytes <-> 18 pkts/1872 bytes] 11 ICMP 192.168.0.17:0 <-> 192.168.0.15:0 [proto: 81/ICMP][cat: Network/14][1 pkts/1514 bytes <-> 1 pkts/1514 bytes] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index c654f4165..aa285ecd2 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -6,19 +6,19 @@ Google 13 2142 1 Waze 484 289335 19 WhatsApp 15 1341 1 - 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] + 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][cat: Web/5][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Host: xtra1.gpsonextra.net] - 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] - 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] - 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] - 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] - 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75] + 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 14 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Host: roadshields.waze.com] 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 64.126/SSL_No_Cert.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes] 16 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][8 pkts/594 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index c5383f501..b1a686011 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -6,36 +6,36 @@ Google 17 6375 1 Webex 1380 818407 43 Amazon 33 9742 2 - 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][TLSv1][JA3C: f9010d8c34749bdf7659b52227e6f91b] 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][TLSv1][JA3C: f9010d8c34749bdf7659b52227e6f91b] - 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] 8 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][cat: VoIP/10][22 pkts/15356 bytes -> 0 pkts/0 bytes] - 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)] - 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/SSL.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)] - 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][TLS_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/SSL.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][TLSv1][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][TLS_RSA_WITH_RC4_128_MD5] + 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][TLSv1][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1] - 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)] - 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] - 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)] + 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] + 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][TLS_RSA_WITH_AES_256_CBC_SHA] 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes] 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes] 33 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 11901a908..8b9574a71 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -15,9 +15,9 @@ ApplePush 22 5926 1 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes] 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes] 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes] - 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)] + 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][TLS_RSA_WITH_RC4_128_MD5] 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][TLSv1][JA3C: 799135475da362592a4be9199d258726] - 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)] + 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][TLS_RSA_WITH_RC4_128_MD5] 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes] 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 189/WhatsAppVoice][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes] 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac] |