diff options
54 files changed, 1397 insertions, 1735 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 40219acd4..ccd154870 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -602,7 +602,7 @@ void printCSVHeader() { fprintf(csv_fp, "client_info,server_info,"); fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,"); fprintf(csv_fp, "ja3s,tls_server_unsafe,"); - fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh"); + fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh,flow_info"); /* Joy */ if(enable_joy_stats) { @@ -1083,7 +1083,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(csv_fp, "%u,%u,", flow->c_to_s_init_win, flow->s_to_c_init_win); fprintf(csv_fp, "%s,%s,", - (flow->ssh_tls.client_info[0] != '\0') ? flow->ssh_tls.client_info : "", + (flow->ssh_tls.client_requested_server_name[0] != '\0') ? flow->ssh_tls.client_requested_server_name : "", (flow->ssh_tls.server_info[0] != '\0') ? flow->ssh_tls.server_info : ""); fprintf(csv_fp, "%s,%s,%s,", @@ -1099,6 +1099,8 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa (flow->ssh_tls.client_hassh[0] != '\0') ? flow->ssh_tls.client_hassh : "", (flow->ssh_tls.server_hassh[0] != '\0') ? flow->ssh_tls.server_hassh : "" ); + + fprintf(csv_fp, ",%s", flow->info); } if((verbose != 1) && (verbose != 2)) { @@ -1205,13 +1207,15 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa flow->http.content_type, flow->http.user_agent); if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls)); - if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_info); + if(flow->ssh_tls.client_requested_server_name[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_requested_server_name); if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh); if(flow->ssh_tls.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_tls.ja3_client, print_cipher(flow->ssh_tls.client_unsafe_cipher)); if(flow->ssh_tls.server_info[0] != '\0') fprintf(out, "[Server: %s]", flow->ssh_tls.server_info); + + if(flow->ssh_tls.server_names) fprintf(out, "[ServerNames: %s]", flow->ssh_tls.server_names); if(flow->ssh_tls.server_hassh[0] != '\0') fprintf(out, "[HASSH-S: %s]", flow->ssh_tls.server_hassh); if(flow->ssh_tls.ja3_server[0] != '\0') fprintf(out, "[JA3S: %s%s]", flow->ssh_tls.ja3_server, @@ -1220,11 +1224,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)) { - if((flow->ssh_tls.sha1_cert_fingerprint[0] == 0) - && (flow->ssh_tls.sha1_cert_fingerprint[1] == 0) - && (flow->ssh_tls.sha1_cert_fingerprint[2] == 0)) - ; /* Looks empty */ - else { + if(flow->ssh_tls.sha1_cert_fingerprint_set) { fprintf(out, "[Certificate SHA-1: "); for(i=0; i<20; i++) fprintf(out, "%s%02X", (i > 0) ? ":" : "", @@ -2049,7 +2049,7 @@ static void printFlowsStats() { newHost->host_server_info_hasht = NULL; newHost->ip_string = all_flows[i].flow->src_name; newHost->ip = all_flows[i].flow->src_ip; - newHost->dns_name = all_flows[i].flow->ssh_tls.client_info; + newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name; ndpi_ja3_info *newJA3 = malloc(sizeof(ndpi_ja3_info)); newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client; @@ -2082,7 +2082,7 @@ static void printFlowsStats() { newHost->ip = all_flows[i].flow->src_ip; newHost->ip_string = all_flows[i].flow->src_name; - newHost->dns_name = all_flows[i].flow->ssh_tls.client_info;; + newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;; ndpi_ja3_fingerprints_host *newElement = malloc(sizeof(ndpi_ja3_fingerprints_host)); newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_client; @@ -2099,7 +2099,7 @@ static void printFlowsStats() { ndpi_ip_dns *newInnerElement = malloc(sizeof(ndpi_ip_dns)); newInnerElement->ip = all_flows[i].flow->src_ip; newInnerElement->ip_string = all_flows[i].flow->src_name; - newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_info; + newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name; HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement); } } diff --git a/example/reader_util.c b/example/reader_util.c index 1d19e8b41..b8fce9632 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -306,8 +306,6 @@ void ndpi_report_payload_stats() { } } - - /* ***************************************************** */ void ndpi_free_flow_info_half(struct ndpi_flow_info *flow) { @@ -457,9 +455,12 @@ void ndpi_flow_info_freer(void *node) { struct ndpi_flow_info *flow = (struct ndpi_flow_info*)node; ndpi_free_flow_info_half(flow); - ndpi_free_flow_data_analysis(flow); + if(flow->ssh_tls.server_names) { + ndpi_free(flow->ssh_tls.server_names); flow->ssh_tls.server_names = NULL; + } + ndpi_free(flow); } @@ -548,7 +549,7 @@ ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { /* octet count was already incremented before processing this payload */ u_int32_t current_count; - + if(src_to_dst_direction) { current_count = flow->entropy.src2dst_l4_bytes - len; } else { @@ -558,7 +559,7 @@ ndpi_flow_update_byte_count(struct ndpi_flow_info *flow, const void *x, if(current_count < ETTA_MIN_OCTETS) { u_int32_t i; const unsigned char *data = x; - + for(i=0; i<len; i++) { if(src_to_dst_direction) { flow->entropy.src2dst_byte_count[data[i]]++; @@ -590,10 +591,10 @@ ndpi_flow_update_byte_dist_mean_var(ndpi_flow_info_t *flow, const void *x, if((flow->entropy.src2dst_pkt_count+flow->entropy.dst2src_pkt_count) <= max_num_packets_per_flow) { unsigned int i; - + for(i=0; i<len; i++) { double delta; - + if(src_to_dst_direction) { flow->entropy.src2dst_num_bytes += 1; delta = ((double)data[i] - flow->entropy.src2dst_bd_mean); @@ -617,9 +618,9 @@ float ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], int i; float sum = 0.0; - for(i=0; i<256; i++) { + for(i=0; i<256; i++) { float tmp = (float) byte_count[i] / (float) num_bytes; - + if(tmp > FLT_EPSILON) { sum -= tmp * logf(tmp); } @@ -687,7 +688,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow workflow->stats.packet_len[4]++; else if(l4_packet_len >= 1500) workflow->stats.packet_len[5]++; - + if(l4_packet_len > workflow->stats.max_packet_len) workflow->stats.max_packet_len = l4_packet_len; @@ -885,7 +886,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow rflow->entropy.dst2src_opackets++; } } - + return(rflow); } } @@ -993,6 +994,15 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } else if(flow->ndpi_flow->protos.kerberos.domain[0] != '\0') snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.kerberos.domain); + +#if 0 + if(flow->info[0] != '\0') + printf("->> (%d) [%s][%s][%s]<<--\n", + htons(flow->src_port), + flow->ndpi_flow->protos.kerberos.domain, + flow->ndpi_flow->protos.kerberos.hostname, + flow->ndpi_flow->protos.kerberos.username); +#endif } /* HTTP */ else if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) @@ -1007,7 +1017,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl snprintf(flow->telnet.username, sizeof(flow->telnet.username), "%s", flow->ndpi_flow->protos.telnet.username); snprintf(flow->telnet.password, sizeof(flow->telnet.password), "%s", flow->ndpi_flow->protos.telnet.password); } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + snprintf(flow->ssh_tls.client_requested_server_name, + sizeof(flow->ssh_tls.client_requested_server_name), "%s", flow->ndpi_flow->protos.ssh.client_signature); snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.ssh.server_signature); @@ -1022,10 +1033,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') ) { flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); - snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); + snprintf(flow->ssh_tls.client_requested_server_name, + sizeof(flow->ssh_tls.client_requested_server_name), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.client_requested_server_name); + + if(flow->ndpi_flow->protos.stun_ssl.ssl.server_names_len > 0) + flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.stun_ssl.ssl.server_names); snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); flow->ssh_tls.notBefore = flow->ndpi_flow->protos.stun_ssl.ssl.notBefore; @@ -1036,9 +1049,13 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; - memcpy(flow->ssh_tls.sha1_cert_fingerprint, - flow->ndpi_flow->l4.tcp.tls_sha1_certificate_fingerprint, 20); - } + + if(flow->ndpi_flow->l4.tcp.tls.fingerprint_set) { + memcpy(flow->ssh_tls.sha1_cert_fingerprint, + flow->ndpi_flow->l4.tcp.tls.sha1_certificate_fingerprint, 20); + flow->ssh_tls.sha1_cert_fingerprint_set = 1; + } + } if(flow->detection_completed && (!flow->check_extra_packets)) { if(is_ndpi_proto(flow, NDPI_PROTOCOL_UNKNOWN)) { @@ -1169,7 +1186,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(flow->entropy.flow_last_pkt_time.tv_sec) { ndpi_timer_sub(&when, &flow->entropy.flow_last_pkt_time, &tdiff); - + if(flow->iat_flow && (tdiff.tv_sec >= 0) /* Discard backward time */ ) { @@ -1186,7 +1203,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ndpi_timer_sub(&when, &flow->entropy.src2dst_last_pkt_time, &tdiff); if(flow->iat_c_to_s - && (tdiff.tv_sec >= 0) /* Discard backward time */ + && (tdiff.tv_sec >= 0) /* Discard backward time */ ) { u_int32_t ms = ndpi_timeval_to_milliseconds(tdiff); @@ -1291,11 +1308,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, u_int enough_packets = (((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_udp_dissected_pkts)) || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > max_num_tcp_dissected_pkts))) ? 1 : 0; - + #if 0 - printf("%s()\n", __FUNCTION__); + printf("%s()\n", __FUNCTION__); #endif - + flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time, src, dst); @@ -1313,14 +1330,14 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(ndpi_flow && ndpi_flow->check_extra_packets) flow->check_extra_packets = 1; #endif - + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { u_int8_t proto_guessed; - + flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, enable_protocol_guess, &proto_guessed); } - + process_ndpi_collected_info(workflow, flow); } } @@ -1363,7 +1380,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, struct ndpi_proto nproto = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; ndpi_packet_tunnel tunnel_type = ndpi_no_tunnel; - + /* lengths and offsets */ u_int16_t eth_offset = 0; u_int16_t radio_len; @@ -1512,7 +1529,7 @@ ether_type_check: type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; ip_offset += 4; vlan_packet = 1; - + // double tagging for 802.1Q while((type == 0x8100) && (ip_offset < (u_int16_t)header->caplen)) { vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; @@ -1521,7 +1538,7 @@ ether_type_check: } recheck_type = 1; break; - + case MPLS_UNI: case MPLS_MULTI: mpls.u32 = *((uint32_t *) &packet[ip_offset]); @@ -1536,21 +1553,21 @@ ether_type_check: } recheck_type = 1; break; - + case PPPoE: workflow->stats.pppoe_count++; type = ETH_P_IP; ip_offset += 8; recheck_type = 1; break; - + default: break; } - + if(recheck_type) goto ether_type_check; - + workflow->stats.vlan_count += vlan_packet; iph_check: @@ -1632,7 +1649,7 @@ ether_type_check: u_int8_t message_type = packet[offset+1]; tunnel_type = ndpi_gtp_tunnel; - + if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && (message_type == 0xFF /* T-PDU */)) { @@ -1656,7 +1673,7 @@ ether_type_check: u_int16_t encapsulates = ntohs(*((u_int16_t*)&packet[offset+2])); tunnel_type = ndpi_tzsp_tunnel; - + if((version == 1) && (ts_type == 0) && (encapsulates == 1)) { u_int8_t stop = 0; @@ -1694,7 +1711,7 @@ ether_type_check: if((offset+40) < header->caplen) { u_int16_t msg_len = packet[offset+1] >> 1; - + offset += msg_len; if(packet[offset] == 0x02) { diff --git a/example/reader_util.h b/example/reader_util.h index c420ca211..55c260a54 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -94,7 +94,7 @@ typedef struct ndpi_ja3_info { // external hash table (host ip -> <ip string, hash table ja3c, hash table ja3s>) // used to aggregate ja3 fingerprints by hosts -typedef struct ndpi_host_ja3_fingerprints{ +typedef struct ndpi_host_ja3_fingerprints { u_int32_t ip; char *ip_string; char *dns_name; @@ -195,11 +195,12 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; - char client_info[64], server_info[64], - client_hassh[33], server_hassh[33], + char client_requested_server_name[64], server_info[64], + client_hassh[33], server_hassh[33], *server_names, server_organization[64], ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; + u_int8_t sha1_cert_fingerprint_set; time_t notBefore, notAfter; u_int16_t server_cipher; ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index d03557aa6..5723494ba 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -507,6 +507,21 @@ extern "C" { u_int16_t protoId); /** + * Set hostname-based protocol + * + * @par ndpi_mod = the detection module + * @par flow = the flow to which this communication belongs to + * @par master_protocol = the master protocol for this flow + * @par name = the host name + * @par name_len = length of the host name + * + */ + int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_mod, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol, + char *name, u_int name_len); + + /** * Get protocol category as string * * @par mod = the detection module diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 2c2268768..c7d88fe0f 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -637,17 +637,19 @@ struct ndpi_flow_tcp_struct { /* NDPI_PROTOCOL_TELNET */ u_int32_t telnet_stage:2; // 0 - 2 - void* tls_srv_cert_fingerprint_ctx; + struct { + struct { + u_int8_t *buffer; + u_int buffer_len, buffer_used; + } message; + + void* srv_cert_fingerprint_ctx; /* SHA-1 */ - /* NDPI_PROTOCOL_TLS */ - u_int8_t tls_seen_client_cert:1, - tls_seen_server_cert:1, - tls_seen_certificate:1, - tls_srv_cert_fingerprint_found:1, - tls_srv_cert_fingerprint_processed:1, - tls_stage:2, _pad:1; // 0 - 5 - int16_t tls_record_offset, tls_fingerprint_len; /* Need to be signed */ - u_int8_t tls_sha1_certificate_fingerprint[20]; + /* NDPI_PROTOCOL_TLS */ + u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, + fingerprint_set:1, _pad:4; + u_int8_t sha1_certificate_fingerprint[20]; + } tls; /* NDPI_PROTOCOL_POSTGRES */ u_int32_t postgres_stage:3; @@ -941,7 +943,6 @@ typedef enum { typedef enum { ndpi_pref_direction_detect_disable = 0, - ndpi_pref_disable_metadata_export, } ndpi_detection_preference; /* ntop extensions */ @@ -1119,8 +1120,7 @@ struct ndpi_detection_module_struct { ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ - disable_metadata_export:1 /* No metadata is exported */ - ; + _pad:7; void *hyperscan; /* Intel Hyperscan */ }; @@ -1219,8 +1219,8 @@ struct ndpi_flow_struct { struct { struct { - u_int16_t ssl_version; - char client_certificate[64], server_certificate[64], server_organization[64]; + u_int16_t ssl_version, server_names_len; + char client_requested_server_name[64], *server_names, server_organization[64]; u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index cd9ae19bf..9f960277b 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8754,7 +8754,7 @@ static ndpi_protocol_match host_match[] = { // { ".googlezip.net", NULL, "\\.googlezip" TLD, "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { "dns.google", NULL, "dns\\.google" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, - // { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ + { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ { "cloudflare-dns.com", NULL, "cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "commons.host", NULL, "commons\\.host" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "doh.li", NULL, "doh\\.li" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 232bf30dd..03b54231b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -78,6 +78,12 @@ static int removeDefaultPort(ndpi_port_range *range, /* ****************************************** */ +static inline uint8_t flow_is_proto(struct ndpi_flow_struct *flow, u_int16_t p) { + return((flow->detected_protocol_stack[0] == p) || (flow->detected_protocol_stack[1] == p)); +} + +/* ****************************************** */ + void* ndpi_malloc(size_t size) { return(_ndpi_malloc ? _ndpi_malloc(size) : malloc(size)); } void* ndpi_flow_malloc(size_t size) { return(_ndpi_flow_malloc ? _ndpi_flow_malloc(size) : ndpi_malloc(size)); } @@ -651,7 +657,6 @@ static int init_hyperscan(struct ndpi_detection_module_struct *ndpi_str) { ndpi_free(expressions[i]); ndpi_free(expressions), ndpi_free(ids); - ndpi_free(need_to_be_free); return(rc); @@ -716,10 +721,6 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str ndpi_str->direction_detect_disable = (u_int8_t)value; break; - case ndpi_pref_disable_metadata_export: - ndpi_str->disable_metadata_export = (u_int8_t)value; - break; - default: return(-1); } @@ -3834,9 +3835,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str u_int8_t backup; u_int16_t backup1, backup2; - if(flow->http.url) ndpi_free(flow->http.url); - if(flow->http.content_type) ndpi_free(flow->http.content_type); - if(flow->http.user_agent) ndpi_free(flow->http.user_agent); + if(flow->http.url) ndpi_free(flow->http.url), flow->http.url = NULL; + if(flow->http.content_type) ndpi_free(flow->http.content_type), flow->http.content_type = NULL; + if(flow->http.user_agent) ndpi_free(flow->http.user_agent), flow->http.user_agent = NULL; + if(flow->l4.tcp.tls.message.buffer) ndpi_free(flow->l4.tcp.tls.message.buffer), flow->l4.tcp.tls.message.buffer = NULL; backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; @@ -4220,13 +4222,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st || (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER) || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); - else if((flow->l4.tcp.tls_seen_client_cert == 1) - && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { + else if((flow->l4.tcp.tls.hello_processed == 1) + && (flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) - && (flow->l4.tcp.tls_stage > 1)) + && flow->l4.tcp.tls.hello_processed) flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id; @@ -4274,7 +4276,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st } } } else { - flow->detected_protocol_stack[1] = flow->guessed_protocol_id, + if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol_stack[1] = flow->guessed_protocol_id; + + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; if(flow->detected_protocol_stack[1] == flow->detected_protocol_stack[0]) @@ -4351,9 +4356,10 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, if(flow->extra_packets_func) { if((flow->extra_packets_func(ndpi_str, flow)) == 0) flow->check_extra_packets = 0; - } - flow->num_extra_packets_checked++; + if(++flow->num_extra_packets_checked == flow->max_extra_packets_to_check) + flow->extra_packets_func = NULL; /* Enough packets detected */ + } } /* ********************************************************************************* */ @@ -4578,10 +4584,11 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str } if(!node) { - if(daddr != 0) + if(daddr != 0) { fill_prefix_v4(&prefix, (struct in_addr *)&daddr, 32, ((patricia_tree_t*)ndpi_str->protocols_ptree)->maxbits); - node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); + node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); + } } if(node) { @@ -4617,11 +4624,11 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, } } - if((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { + if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') { unsigned long id; int rc = ndpi_match_custom_category(ndpi_str, - (char *)flow->protos.stun_ssl.ssl.client_certificate, - strlen(flow->protos.stun_ssl.ssl.client_certificate), + (char *)flow->protos.stun_ssl.ssl.client_requested_server_name, + strlen(flow->protos.stun_ssl.ssl.client_requested_server_name), &id); if(rc == 0) { @@ -6332,6 +6339,33 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ return(rc); } +/* **************************************** */ + +int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol, + char *name, u_int name_len) { + ndpi_protocol_match_result ret_match; + u_int16_t subproto, what_len; + char *what; + + if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) + what = &name[1], what_len = name_len - 1; + else + what = name, what_len = name_len; + + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, + what, what_len, + &ret_match, master_protocol); + + if(subproto != NDPI_PROTOCOL_UNKNOWN) { + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol); + ndpi_int_change_category(ndpi_struct, flow, ret_match.protocol_category); + return(1); + } else + return(0); +} + /* ****************************************************** */ u_int16_t ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_str, @@ -6382,9 +6416,17 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); + if(flow_is_proto(flow, NDPI_PROTOCOL_TLS)) { + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_free(flow->protos.stun_ssl.ssl.server_names); + + if(flow->l4.tcp.tls.srv_cert_fingerprint_ctx) + ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + } + if(flow->l4_proto == IPPROTO_TCP) { - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) - ndpi_free(flow->l4.tcp.tls_srv_cert_fingerprint_ctx); + if(flow->l4.tcp.tls.message.buffer) + ndpi_free(flow->l4.tcp.tls.message.buffer); } ndpi_free(flow); @@ -6564,8 +6606,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp switch(proto) { case NDPI_PROTOCOL_TLS: - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(1); + if(!flow->l4.tcp.tls.certificate_processed) + return(1); /* TODO: add check for TLS 1.3 */ break; case NDPI_PROTOCOL_HTTP: diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index d96422d23..7d9c60104 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1043,8 +1043,10 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, if(!unknown_tls_version) { ndpi_serialize_start_of_block(serializer, "tls"); ndpi_serialize_string_string(serializer, "version", version); - ndpi_serialize_string_string(serializer, "client_cert", flow->protos.stun_ssl.ssl.client_certificate); - ndpi_serialize_string_string(serializer, "server_cert", flow->protos.stun_ssl.ssl.server_certificate); + ndpi_serialize_string_string(serializer, "client_requested_server_name", + flow->protos.stun_ssl.ssl.client_requested_server_name); + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_serialize_string_string(serializer, "server_names", flow->protos.stun_ssl.ssl.server_names); ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); if(before) { @@ -1061,10 +1063,10 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.stun_ssl.ssl.server_unsafe_cipher); ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.stun_ssl.ssl.server_cipher)); - if(flow->l4.tcp.tls_sha1_certificate_fingerprint[0] != '\0') { + if(flow->l4.tcp.tls.sha1_certificate_fingerprint[0] != '\0') { for(i=0, off=0; i<20; i++) { int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "", - flow->l4.tcp.tls_sha1_certificate_fingerprint[i] & 0xFF); + flow->l4.tcp.tls.sha1_certificate_fingerprint[i] & 0xFF); if(rc <= 0) break; else off += rc; } diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 5ed0d311a..a1ade79b2 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -72,9 +72,7 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc } else bt_hash = (const char*)&flow->packet.payload[28]; - if(!ndpi_struct->disable_metadata_export) { - if(bt_hash) memcpy(flow->protos.bittorrent.hash, bt_hash, 20); - } + if(bt_hash) memcpy(flow->protos.bittorrent.hash, bt_hash, 20); } ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index 8631989e9..f40a8138c 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -100,42 +100,36 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru if(msg_type <= 8) foundValidMsgType = 1; } else if(id == 55 /* Parameter Request List / Fingerprint */) { - if(!ndpi_struct->disable_metadata_export) { - u_int idx, offset = 0; + u_int idx, offset = 0; + + for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) { + int rc = snprintf((char*)&flow->protos.dhcp.fingerprint[offset], + sizeof(flow->protos.dhcp.fingerprint) - offset, + "%s%u", (idx > 0) ? "," : "", + (unsigned int)dhcp->options[i+2+idx] & 0xFF); - for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) { - int rc = snprintf((char*)&flow->protos.dhcp.fingerprint[offset], - sizeof(flow->protos.dhcp.fingerprint) - offset, - "%s%u", (idx > 0) ? "," : "", - (unsigned int)dhcp->options[i+2+idx] & 0xFF); - - if(rc < 0) break; else offset += rc; - } - - flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0'; + if(rc < 0) break; else offset += rc; } + + flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0'; } else if(id == 60 /* Class Identifier */) { - if(!ndpi_struct->disable_metadata_export) { - char *name = (char*)&dhcp->options[i+2]; - int j = 0; - - j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); - strncpy((char*)flow->protos.dhcp.class_ident, name, j); - flow->protos.dhcp.class_ident[j] = '\0'; - } + char *name = (char*)&dhcp->options[i+2]; + int j = 0; + + j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); + strncpy((char*)flow->protos.dhcp.class_ident, name, j); + flow->protos.dhcp.class_ident[j] = '\0'; } else if(id == 12 /* Host Name */) { - if(!ndpi_struct->disable_metadata_export) { - char *name = (char*)&dhcp->options[i+2]; - int j = 0; - + char *name = (char*)&dhcp->options[i+2]; + int j = 0; + #ifdef DHCP_DEBUG - NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); + NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); // while(j < len) { printf( "%c", name[j]); j++; }; printf("\n"); #endif - j = ndpi_min(len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, name, j); - flow->host_server_name[j] = '\0'; - } + j = ndpi_min(len, sizeof(flow->host_server_name)-1); + strncpy((char*)flow->host_server_name, name, j); + flow->host_server_name[j] = '\0'; } i += len + 2; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index fbe510459..14be88246 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -149,9 +149,8 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */ //printf("==> %s\n", ua); - if(!ndpi_struct->disable_metadata_export) { - snprintf((char*)flow->protos.http.detected_os, sizeof(flow->protos.http.detected_os), "%s", ua); - } + snprintf((char*)flow->protos.http.detected_os, + sizeof(flow->protos.http.detected_os), "%s", ua); } /* ************************************************************* */ @@ -160,14 +159,12 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp struct ndpi_flow_struct *flow) { if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); - ndpi_protocol_match_result ret_match; if(double_col) double_col[0] = '\0'; - ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_HTTP); + ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, + (char *)flow->host_server_name, + strlen((const char *)flow->host_server_name)); } } @@ -333,21 +330,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* Copy result for nDPI apps */ - if(!ndpi_struct->disable_metadata_export) { - len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); - flow->host_server_name[len] = '\0'; - flow->extra_packets_func = NULL; /* We're good now */ - } + len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); + strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); + flow->host_server_name[len] = '\0'; + flow->extra_packets_func = NULL; /* We're good now */ flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { len = ndpi_min(packet->forwarded_line.len, sizeof(flow->protos.http.nat_ip)-1); - if(!ndpi_struct->disable_metadata_export) { - strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len); - flow->protos.http.nat_ip[len] = '\0'; - } + strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len); + flow->protos.http.nat_ip[len] = '\0'; } ndpi_http_parse_subprotocol(ndpi_struct, flow); diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 06d258006..43f1127d1 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -28,7 +28,7 @@ #include "ndpi_api.h" -//#define KERBEROS_DEBUG 1 +/* #define KERBEROS_DEBUG 1 */ #define KERBEROS_PORT 88 @@ -190,7 +190,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t name_offset; name_offset = body_offset + 13; - for(i=0; i<10; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<20; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); @@ -222,8 +222,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; i<cname_len; i++) cname_str[i] = tolower(cname_str[i]); #ifdef KERBEROS_DEBUG - printf("[AS-REQ][s/dport: %u/%u][Kerberos Cname][len: %u][%s]\n", - sport, dport, cname_len, cname_str); + printf("[AS-REQ][s/dport: %u/%u][Kerberos Cname][len: %u][%s]\n", sport, dport, cname_len, cname_str); #endif if(((strcmp(cname_str, "host") == 0) || (strcmp(cname_str, "ldap") == 0)) && (packet->payload[name_offset+1+cname_len] == 0x1b)) { @@ -242,7 +241,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, } else snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str); - for(i=0; i<10; i++) if(packet->payload[realm_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<14; i++) if(packet->payload[realm_offset] != 0x1b) realm_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("realm_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", realm_offset, packet->payload[realm_offset], packet->payload[realm_offset+1]); #endif @@ -279,7 +278,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int name_offset, padding_offset = body_offset + 4; name_offset = padding_offset; - for(i=0; i<10; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<14; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); diff --git a/src/lib/protocols/mdns_proto.c b/src/lib/protocols/mdns_proto.c index 506491be1..2b75f19ec 100644 --- a/src/lib/protocols/mdns_proto.c +++ b/src/lib/protocols/mdns_proto.c @@ -82,11 +82,9 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct /* printf("==> [%d] %s\n", j, answer); */ - if(!ndpi_struct->disable_metadata_export) { - len = ndpi_min(sizeof(flow->protos.mdns.answer)-1, j); - strncpy(flow->protos.mdns.answer, (const char *)answer, len); - flow->protos.mdns.answer[len] = '\0'; - } + len = ndpi_min(sizeof(flow->protos.mdns.answer)-1, j); + strncpy(flow->protos.mdns.answer, (const char *)answer, len); + flow->protos.mdns.answer[len] = '\0'; NDPI_LOG_INFO(ndpi_struct, "found MDNS with answer query\n"); return 1; diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index e21a5639b..19cffeb82 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -73,13 +73,10 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) { static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { char name[64]; - - if(!ndpi_struct->disable_metadata_export) { - u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; - - if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0) - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); - } + u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; + + if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0) + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index 91420a5b5..a24b9441e 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -83,10 +83,10 @@ static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *n ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR, NDPI_PROTOCOL_UNKNOWN); - if (src != NULL) { + if(src != NULL) { src->oscar_last_safe_access_time = packet->tick_timestamp; } - if (dst != NULL) { + if(dst != NULL) { dst->oscar_last_safe_access_time = packet->tick_timestamp; } } @@ -107,10 +107,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct u_int16_t family; u_int16_t type; u_int16_t flag; - u_int32_t req_ID; - struct ndpi_packet_struct * packet = &flow->packet; - struct ndpi_id_struct * src = flow->src; struct ndpi_id_struct * dst = flow->dst; @@ -124,7 +121,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct * [ 4 byte of data ] * * */ - if (packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) + if(packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) { /* FLAP__FRAME_TYPE (Channel)*/ @@ -140,7 +137,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct + TLVs | [Class: FLAP__SIGNON_TAGS] TLVs + +--------------------------------------------------+ */ - if (channel == SIGNON && + if(channel == SIGNON && get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) && get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION)) { @@ -153,28 +150,28 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } /* /\* SCREEN_NAME *\/ */ - /* if (get_u_int16_t(packet->payload, 10) == htons(SCREEN_NAME)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x01 *\/ */ + /* if(get_u_int16_t(packet->payload, 10) == htons(SCREEN_NAME)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x01 *\/ */ /* { */ /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Screen Name \n"); */ /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ /* return; */ /* } */ /* /\* PASSWD *\/ */ - /* if (get_u_int16_t(packet->payload, 10) == htons(PASSWD)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x02 *\/ */ + /* if(get_u_int16_t(packet->payload, 10) == htons(PASSWD)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x02 *\/ */ /* { */ /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Password (roasted) \n"); */ /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ /* return; */ /* } */ /* CLIENT_NAME */ - if (get_u_int16_t(packet->payload, 10) == htons(CLIENT_NAME)) /* packet->payload[10] == 0x00 && packet->payload[11] == 0x03 */ + if(get_u_int16_t(packet->payload, 10) == htons(CLIENT_NAME)) /* packet->payload[10] == 0x00 && packet->payload[11] == 0x03 */ { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client Name \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* LOGIN_COOKIE */ - if (get_u_int16_t(packet->payload, 10) == htons(LOGIN_COOKIE) && + if(get_u_int16_t(packet->payload, 10) == htons(LOGIN_COOKIE) && get_u_int16_t(packet->payload, 12) == htons(0x0100)) { if(get_u_int16_t(packet->payload, packet->payload_packet_len - 5) == htons(MULTICONN_FLAGS)) /* MULTICONN_FLAGS */ @@ -191,35 +188,35 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* MAJOR_VERSION */ - if (get_u_int16_t(packet->payload, 10) == htons(MAJOR_VERSION)) + if(get_u_int16_t(packet->payload, 10) == htons(MAJOR_VERSION)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Major_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* MINOR_VERSION */ - if (get_u_int16_t(packet->payload, 10) == htons(MINOR_VERSION)) + if(get_u_int16_t(packet->payload, 10) == htons(MINOR_VERSION)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Minor_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* POINT_VERSION */ - if (get_u_int16_t(packet->payload, 10) == htons(POINT_VERSION)) + if(get_u_int16_t(packet->payload, 10) == htons(POINT_VERSION)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Point_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* BUILD_NUM */ - if (get_u_int16_t(packet->payload, 10) == htons(BUILD_NUM)) + if(get_u_int16_t(packet->payload, 10) == htons(BUILD_NUM)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Build_Num \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* CLIENT_RECONNECT */ - if (get_u_int16_t(packet->payload, 10) == htons(CLIENT_RECONNECT)) + if(get_u_int16_t(packet->payload, 10) == htons(CLIENT_RECONNECT)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client_Reconnect \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -244,24 +241,24 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct + requestId | 4 byte + +----------------------------------------------+ */ - if (channel == DATA) + if(channel == DATA) { - if (packet->payload_packet_len >= 8) + if(packet->payload_packet_len >= 8) family = get_u_int16_t(packet->payload, 6); else family = 0; - if (packet->payload_packet_len >= 10) + if(packet->payload_packet_len >= 10) type = get_u_int16_t(packet->payload, 8); else type = 0; - if (family == 0 || type == 0) + if(family == 0 || type == 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Family 0x0001 */ - if (family == htons(GE_SE_CTL)) + if(family == htons(GE_SE_CTL)) { switch (type) { @@ -297,7 +294,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0002 */ - if (family == htons(LOC_SRV)) + if(family == htons(LOC_SRV)) { switch (type) { @@ -320,7 +317,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0003 */ - if (family == htons(BUDDY_LIST)) + if(family == htons(BUDDY_LIST)) { switch (type) { @@ -340,7 +337,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0004 */ - if (family == htons(IM)) + if(family == htons(IM)) { switch (type) { @@ -361,7 +358,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0006 */ - if (family == htons(IS)) + if(family == htons(IS)) { switch (type) { @@ -372,7 +369,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0007 */ - if (family == htons(ACC_ADM)) + if(family == htons(ACC_ADM)) { switch (type) { @@ -389,7 +386,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0008 */ - if (family == htons(POPUP)) + if(family == htons(POPUP)) { switch (type) { @@ -399,7 +396,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0009 */ - if (family == htons(PMS)) + if(family == htons(PMS)) { switch (type) { @@ -418,7 +415,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000b */ - if (family == htons(USS)) + if(family == htons(USS)) { switch (type) { @@ -430,7 +427,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000d */ - if (family == htons(CHAT_ROOM_SETUP)) + if(family == htons(CHAT_ROOM_SETUP)) { switch (type) { @@ -447,7 +444,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000e */ - if (family == htons(CHAT_ROOM_ACT)) + if(family == htons(CHAT_ROOM_ACT)) { switch (type) { @@ -464,7 +461,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x000f */ - if (family == htons(USER_SRCH)) + if(family == htons(USER_SRCH)) { switch (type) { @@ -477,7 +474,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0010 */ - if (family == htons(BUDDY_ICON_SERVER)) + if(family == htons(BUDDY_ICON_SERVER)) { switch (type) { @@ -492,7 +489,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0013 */ - if (family == htons(SERVER_STORED_INFO)) + if(family == htons(SERVER_STORED_INFO)) { switch (type) { @@ -521,7 +518,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0015 */ - if (family == htons(ICQ)) + if(family == htons(ICQ)) { switch (type) { @@ -532,7 +529,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0017 */ - if (family == htons(INIT_AUTH)) + if(family == htons(INIT_AUTH)) { switch (type) { @@ -549,12 +546,12 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } /* Family 0x0018 */ - if (family == htons(EMAIL)) + if(family == htons(EMAIL)) { /* TODO */ } /* Family 0x0085 */ - if (family == htons(IS_EXT)) + if(family == htons(IS_EXT)) { switch (type) { @@ -571,15 +568,15 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } /* flag */ - if (packet->payload_packet_len >= 12) + if(packet->payload_packet_len >= 12) { flag = get_u_int16_t(packet->payload, 10); - if (flag == htons(0x0000)|| flag == htons(0x8000) || flag == htons(0x0001)) + if(flag == htons(0x0000)|| flag == htons(0x8000) || flag == htons(0x0001)) { - if (packet->payload_packet_len >= 16) + if(packet->payload_packet_len >= 16) { /* request ID */ - req_ID = get_u_int32_t(packet->payload, 12); + // u_int32_t req_ID = get_u_int32_t(packet->payload, 12); /* if((req_ID <= ((u_int32_t)-1))) */ { NDPI_LOG_INFO(ndpi_struct, "found OSCAR\n"); @@ -594,7 +591,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct ERROR -> FLAP__ERROR_CHANNEL_0x03 A FLAP error - rare */ - if (channel == O_ERROR) + if(channel == O_ERROR) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Error frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -604,7 +601,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct Close down the FLAP connection gracefully. SIGNOFF: FLAP__SIGNOFF_CHANNEL_0x04 */ - if (channel == SIGNOFF) + if(channel == SIGNOFF) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Signoff frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -614,7 +611,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct Send a heartbeat to server to help keep connection open. KEEP_ALIVE: FLAP__KEEP_ALIVE_CHANNEL_0x05 */ - if (channel == KEEP_ALIVE) + if(channel == KEEP_ALIVE) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Keep Alive frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -624,11 +621,11 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct /* detect http connections */ - if (packet->payload_packet_len >= 18) { - if ((packet->payload[0] == 'P') && (memcmp(packet->payload, "POST /photo/upload", 18) == 0)) { + if(packet->payload_packet_len >= 18) { + if((packet->payload[0] == 'P') && (memcmp(packet->payload, "POST /photo/upload", 18) == 0)) { NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if (packet->host_line.len >= 18 && packet->host_line.ptr != NULL) { - if (memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) { + if(packet->host_line.len >= 18 && packet->host_line.ptr != NULL) { + if(memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP, POST method\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -637,9 +634,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } } - if (packet->payload_packet_len > 40) { - if ((packet->payload[0] == 'G') && (memcmp(packet->payload, "GET /", 5) == 0)) { - if ((memcmp(&packet->payload[5], "aim/fetchEvents?aimsid=", 23) == 0) || + if(packet->payload_packet_len > 40) { + if((packet->payload[0] == 'G') && (memcmp(packet->payload, "GET /", 5) == 0)) { + if((memcmp(&packet->payload[5], "aim/fetchEvents?aimsid=", 23) == 0) || (memcmp(&packet->payload[5], "aim/startSession?", 17) == 0) || (memcmp(&packet->payload[5], "aim/gromit/aim_express", 22) == 0) || (memcmp(&packet->payload[5], "b/ss/aolwpaim", 13) == 0) || @@ -649,9 +646,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } - if ((memcmp(&packet->payload[5], "aim", 3) == 0) || (memcmp(&packet->payload[5], "im", 2) == 0)) { + if((memcmp(&packet->payload[5], "aim", 3) == 0) || (memcmp(&packet->payload[5], "im", 2) == 0)) { NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if (packet->user_agent_line.len > 15 && packet->user_agent_line.ptr != NULL && + if(packet->user_agent_line.len > 15 && packet->user_agent_line.ptr != NULL && ((memcmp(packet->user_agent_line.ptr, "mobileAIM/", 10) == 0) || (memcmp(packet->user_agent_line.ptr, "ICQ/", 4) == 0) || (memcmp(packet->user_agent_line.ptr, "mobileICQ/", 10) == 0) || @@ -663,14 +660,14 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if (packet->referer_line.ptr != NULL && packet->referer_line.len >= 22) { + if(packet->referer_line.ptr != NULL && packet->referer_line.len >= 22) { - if (memcmp(&packet->referer_line.ptr[packet->referer_line.len - NDPI_STATICSTRING_LEN("WidgetMain.swf")], + if(memcmp(&packet->referer_line.ptr[packet->referer_line.len - NDPI_STATICSTRING_LEN("WidgetMain.swf")], "WidgetMain.swf", NDPI_STATICSTRING_LEN("WidgetMain.swf")) == 0) { u_int16_t i; for (i = 0; i < (packet->referer_line.len - 22); i++) { - if (packet->referer_line.ptr[i] == 'a') { - if (memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) { + if(packet->referer_line.ptr[i] == 'a') { + if(memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP : aim/gromit/aim_express\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -681,13 +678,13 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } } - if (memcmp(packet->payload, "CONNECT ", 8) == 0) { - if (memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) { + if(memcmp(packet->payload, "CONNECT ", 8) == 0) { + if(memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - if (memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) { + if(memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; @@ -696,32 +693,32 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } - if (packet->payload_packet_len > 43 + if(packet->payload_packet_len > 43 && memcmp(packet->payload, "GET http://http.proxy.icq.com/hello HTTP/1.", 43) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP PROXY\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - if (packet->payload_packet_len > 46 + if(packet->payload_packet_len > 46 && memcmp(packet->payload, "GET http://aimhttp.oscar.aol.com/hello HTTP/1.", 46) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP PROXY\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - if (packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) { + if(packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) { NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); return; } - if (packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) && + if(packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) && get_u_int32_t(packet->payload, 4) == 0) { NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); return; } - if (packet->payload_packet_len >= 70 && + if(packet->payload_packet_len >= 70 && memcmp(&packet->payload[packet->payload_packet_len - 26], "\x67\x00\x65\x00\x74\x00\x43\x00\x61\x00\x74\x00\x61\x00\x6c\x00\x6f\x00\x67", 19) == 0) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); @@ -729,9 +726,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_OSCAR) != 0) { + if(NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_OSCAR) != 0) { - if (flow->packet_counter == 1 + if(flow->packet_counter == 1 && ((packet->payload_packet_len == 9 && memcmp(packet->payload, "\x00\x09\x00\x00\x83\x01\xc0\x00\x00", 9) == 0) @@ -742,13 +739,13 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } #if 0 - if (flow->oscar_video_voice && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len + if(flow->oscar_video_voice && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) { } #endif - if (packet->payload_packet_len >= 70 && ntohs(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len) { - if (memcmp(packet->payload, "OFT", 3) == 0 && + if(packet->payload_packet_len >= 70 && ntohs(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len) { + if(memcmp(packet->payload, "OFT", 3) == 0 && ((packet->payload[3] == '3' && ((memcmp(&packet->payload[4], "\x01\x00\x01\x01", 4) == 0) || (memcmp(&packet->payload[6], "\x01\x01\x00", 3) == 0))) || (packet->payload[3] == '2' && ((memcmp(&packet->payload[6], "\x01\x01", 2) @@ -760,7 +757,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } - if (memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) { + if(memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) { //PICTURE TRANSFER PATTERN EXMAPLE:: //4f 44 43 32 00 4c 00 01 00 06 00 00 00 00 00 00 ODC2.L.......... NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); @@ -768,7 +765,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct return; } } - if (packet->payload_packet_len > 40 && (memcmp(&packet->payload[2], "\x04\x4a\x00", 3) == 0) + if(packet->payload_packet_len > 40 && (memcmp(&packet->payload[2], "\x04\x4a\x00", 3) == 0) && (memcmp(&packet->payload[6], "\x00\x00", 2) == 0) && packet->payload[packet->payload_packet_len - 15] == 'F' && packet->payload[packet->payload_packet_len - 12] == 'L' @@ -776,21 +773,21 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct && (memcmp(&packet->payload[packet->payload_packet_len - 2], "\x00\x00", 2) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); - if (ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) { + if(ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) { flow->oscar_ssl_voice_stage = 1; } return; } } - if (flow->packet_counter < 3 && packet->payload_packet_len > 11 && (memcmp(packet->payload, "\x00\x37\x04\x4a", 4) + if(flow->packet_counter < 3 && packet->payload_packet_len > 11 && (memcmp(packet->payload, "\x00\x37\x04\x4a", 4) || memcmp(packet->payload, "\x00\x0a\x04\x4a", 4))) { return; } - if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) { + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -800,7 +797,7 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search OSCAR\n"); - if (packet->tcp != NULL) { + if(packet->tcp != NULL) { ndpi_search_oscar_tcp_connect(ndpi_struct, flow); } } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 0d83e4739..5c565e5a1 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -129,23 +129,21 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, sni_offset++; if((sni_offset+len) < udp_len) { - if(!ndpi_struct->disable_metadata_export) { - int max_len = sizeof(flow->host_server_name)-1, j = 0; - ndpi_protocol_match_result ret_match; - - if(len > max_len) len = max_len; - - while((len > 0) && (sni_offset < udp_len)) { - flow->host_server_name[j++] = packet->payload[sni_offset]; - sni_offset++, len--; - } - - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_QUIC); + int max_len = sizeof(flow->host_server_name)-1, j = 0; + ndpi_protocol_match_result ret_match; + + if(len > max_len) len = max_len; + + while((len > 0) && (sni_offset < udp_len)) { + flow->host_server_name[j++] = packet->payload[sni_offset]; + sni_offset++, len--; } + + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + &ret_match, + NDPI_PROTOCOL_QUIC); } break; diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 2f7fe97ae..44eaf333e 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -251,18 +251,16 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct if(flow->l4.tcp.ssh_stage == 0) { if(packet->payload_packet_len > 7 && packet->payload_packet_len < 100 && memcmp(packet->payload, "SSH-", 4) == 0) { - if(!ndpi_struct->disable_metadata_export) { - int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); - - strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); - flow->protos.ssh.client_signature[len] = '\0'; - ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - + int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); + + strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); + flow->protos.ssh.client_signature[len] = '\0'; + ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); + #ifdef SSH_DEBUG - printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); -#endif - } - + printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); +#endif + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; ndpi_int_ssh_add_connection(ndpi_struct, flow); @@ -271,24 +269,19 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { if(packet->payload_packet_len > 7 && packet->payload_packet_len < 500 && memcmp(packet->payload, "SSH-", 4) == 0) { - if(!ndpi_struct->disable_metadata_export) { - int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len); - - strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); - flow->protos.ssh.server_signature[len] = '\0'; - ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - + int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len); + + strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); + flow->protos.ssh.server_signature[len] = '\0'; + ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); + #ifdef SSH_DEBUG - printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); + printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); #endif - - NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; - } else { - NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); - ndpi_int_ssh_add_connection(ndpi_struct, flow); - } - + + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + #ifdef SSH_DEBUG printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); #endif diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 185056fba..737585db4 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -31,9 +31,17 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); +extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +#if 0 +#define DEBUG_TLS_MEMORY 1 +#define DEBUG_TLS 1 +#endif -/* #define DEBUG_TLS 1 */ +// #define DEBUG_CERTIFICATE_HASH + /* #define DEBUG_FINGERPRINT 1 */ /* @@ -60,8 +68,8 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); -extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol); /* **************************************** */ @@ -93,30 +101,61 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st } } - return protocol; + return(protocol); } /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; +void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} + /* TCP */ +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n", + packet->payload_packet_len, + flow->l4.tcp.tls.message.buffer_len, + packet->packet_direction); +#endif -/* **************************************** */ + if(flow->l4.tcp.tls.message.buffer == NULL) { + /* Allocate buffer */ + flow->l4.tcp.tls.message.buffer_len = 2048, flow->l4.tcp.tls.message.buffer_used = 0; + flow->l4.tcp.tls.message.buffer = (u_int8_t*)ndpi_malloc(flow->l4.tcp.tls.message.buffer_len); -static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) { - if(protocol != NDPI_PROTOCOL_TLS) - ; - else - protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); + if(flow->l4.tcp.tls.message.buffer == NULL) + return; - ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); - sslInitExtraPacketProcessing(flow); +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Allocating %u buffer\n", flow->l4.tcp.tls.message.buffer_len); +#endif + } + + u_int avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used; + if(avail_bytes < packet->payload_packet_len) { + u_int new_len = flow->l4.tcp.tls.message.buffer_len + packet->payload_packet_len; + void *newbuf = ndpi_realloc(flow->l4.tcp.tls.message.buffer, + flow->l4.tcp.tls.message.buffer_len, new_len); + if(!newbuf) return; + + flow->l4.tcp.tls.message.buffer = (u_int8_t*)newbuf, flow->l4.tcp.tls.message.buffer_len = new_len; + avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used; + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Enlarging %u -> %u buffer\n", flow->l4.tcp.tls.message.buffer_len, new_len); +#endif + } + + if(avail_bytes >= packet->payload_packet_len) { + memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used], + packet->payload, packet->payload_packet_len); + + flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len; +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Copied data to buffer [%u/%u bytes]\n", + flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len); +#endif + } } /* **************************************** */ @@ -134,9 +173,12 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp /* **************************************** */ -static void stripCertificateTrailer(char *buffer, int buffer_len) { - int i, is_puny; - +static void cleanupServerName(char *buffer, int buffer_len) { + u_int i; + +#if 0 + int is_puny; + // printf("->%s<-\n", buffer); for(i = 0; i < buffer_len; i++) { @@ -159,7 +201,6 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { // not a punycode string - need more checks if(is_puny == 0) { - if(i > 0) i--; while(i > 0) { @@ -177,7 +218,8 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { buffer[i] = '\0', buffer_len = i; } } - +#endif + /* Now all lowecase */ for(i=0; i<buffer_len; i++) buffer[i] = tolower(buffer[i]); @@ -185,1412 +227,971 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { /* **************************************** */ -/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - -#define JA3_STR_LEN 1024 -#define MAX_NUM_JA3 128 +/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ +static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t offset, u_int16_t certificate_len) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int num_found = 0, i, j; + char buffer[64] = { '\0' }; + +#ifdef DEBUG_TLS + printf("[TLS] %s() [offset: %u][certificate_len: %u]\n", __FUNCTION__, offset, certificate_len); +#endif -struct ja3_info { - u_int16_t tls_handshake_version; - u_int16_t num_cipher, cipher[MAX_NUM_JA3]; - u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; - u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; - u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; -}; + /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ + for(i = offset; i < certificate_len; i++) { + /* Organization OID: 2.5.4.10 */ + if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { + u_int8_t server_len = packet->payload[i+4]; -/* **************************************** */ + num_found++; + /* what we want is subject certificate, so we bypass the issuer certificate */ + if(num_found != 2) continue; -int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *buffer, int buffer_len) { - struct ndpi_packet_struct *packet = &flow->packet; - struct ja3_info ja3; - u_int8_t invalid_ja3 = 0; - u_int16_t pkt_tls_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len; - char ja3_str[JA3_STR_LEN]; - ndpi_MD5_CTX ctx; - u_char md5_hash[16]; - int i; + // packet is truncated... further inspection is not needed + if(i+4+server_len >= packet->payload_packet_len) { + break; + } - if(packet->udp) { - /* Check if this is DTLS or return */ - if((packet->payload[1] != 0xfe) - || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return(0); - } - } + char *server_org = (char*)&packet->payload[i+5]; - flow->protos.stun_ssl.ssl.ssl_version = pkt_tls_version; + u_int len = (u_int)ndpi_min(server_len, sizeof(buffer)-1); + strncpy(buffer, server_org, len); + buffer[len] = '\0'; - memset(&ja3, 0, sizeof(ja3)); + // check if organization string are all printable + u_int8_t is_printable = 1; + for(j = 0; j < len; j++) { + if(!ndpi_isprint(buffer[j])) { + is_printable = 0; + break; + } + } + if(is_printable == 1) { + snprintf(flow->protos.stun_ssl.ssl.server_organization, + sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); #ifdef DEBUG_TLS - { - u_int16_t tls_len = (packet->payload[3] << 8) + packet->payload[4]; - - printf("SSL Record [version: 0x%04X][len: %u]\n", pkt_tls_version, tls_len); - } + printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); #endif + } + } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) { + /* Certificate Validity */ + u_int8_t len = packet->payload[i+3]; + u_int offset = i+4; - /* - Nothing matched so far: let's decode the certificate with some heuristics - Patches courtesy of Denys Fedoryshchenko <nuclearcat@nuclearcat.com> - */ - if(packet->payload[0] == 0x16 /* Handshake */) { - u_int16_t total_len; - u_int8_t handshake_protocol, header_len; - - if(packet->tcp) { - header_len = 5; /* SSL Header */ - handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - total_len = (packet->payload[3] << 8) + packet->payload[4]; - } else { - header_len = 13; /* DTLS header */ - handshake_protocol = packet->payload[13]; - total_len = ntohs(*((u_int16_t*)&packet->payload[11])); - } - - total_len += header_len; + if((offset+len) < packet->payload_packet_len) { + char utcDate[32]; - memset(buffer, 0, buffer_len); +#ifdef DEBUG_TLS + printf("[CERTIFICATE] notBefore [len: %u][", len); + for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); + printf("]\n"); +#endif - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; + if(len < (sizeof(utcDate)-1)) { + struct tm utc; + utc.tm_isdst = -1; /* Not set by strptime */ - /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ - if(total_len > 4) { - u_int16_t base_offset = packet->tcp ? 43 : 59; + strncpy(utcDate, (const char*)&packet->payload[i+4], len); + utcDate[len] = '\0'; + /* 141021000000Z */ + if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { + flow->protos.stun_ssl.ssl.notBefore = timegm(&utc); #ifdef DEBUG_TLS - printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol); + printf("[CERTIFICATE] notBefore %u [%s]\n", + flow->protos.stun_ssl.ssl.notBefore, utcDate); #endif + } + } - if((handshake_protocol == 0x02) - || (handshake_protocol == 0x0b) /* Server Hello and Certificate message types are interesting for us */) { - u_int num_found = 0; - u_int16_t tls_version; - int i, rc; - - if(packet->tcp) - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); - else - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); + offset += len; - ja3.tls_handshake_version = tls_version; + if((offset+1) < packet->payload_packet_len) { + len = packet->payload[offset+1]; - if(handshake_protocol == 0x02) { - u_int16_t offset = base_offset, extension_len, j; - u_int8_t session_id_len = packet->payload[offset]; + offset += 2; + if((offset+len) < packet->payload_packet_len) { #ifdef DEBUG_TLS - printf("SSL Server Hello [version: 0x%04X]\n", tls_version); + printf("[CERTIFICATE] notAfter [len: %u][", len); + for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); + printf("]\n"); #endif - /* - The server hello decides about the SSL version of this flow - https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 - */ - flow->protos.stun_ssl.ssl.ssl_version = tls_version; - - if(packet->udp) - offset += 1; - else { - if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) - offset += session_id_len+1; - } + if(len < (sizeof(utcDate)-1)) { + struct tm utc; + utc.tm_isdst = -1; /* Not set by strptime */ - ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); - flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); - flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; + strncpy(utcDate, (const char*)&packet->payload[offset], len); + utcDate[len] = '\0'; + /* 141021000000Z */ + if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { + flow->protos.stun_ssl.ssl.notAfter = timegm(&utc); #ifdef DEBUG_TLS - printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); + printf("[CERTIFICATE] notAfter %u [%s]\n", + flow->protos.stun_ssl.ssl.notAfter, utcDate); #endif - - offset += 2 + 1; - - if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - else - extension_len = 0; + } + } + } + } + } + } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { + /* Organization OID: 2.5.29.17 (subjectAltName) */ + u_int16_t servernames_len = 0; + char servernames[2048]; #ifdef DEBUG_TLS - printf("TLS [server][extension_len: %u]\n", extension_len); + printf("******* [TLS] Found subjectAltName\n"); #endif - offset += 2; - for(i=0; i<extension_len; ) { - u_int16_t extension_id, extension_len; + i += 3 /* skip the initial patten 55 1D 11 */; + i++; /* skip the first type, 0x04 == BIT STRING, and jump to it's length */ + i += packet->payload[i] & 0x80 ? packet->payload[i] & 0x7F : 0; /* skip BIT STRING length */ + i += 2; /* skip the second type, 0x30 == SEQUENCE, and jump to it's length */ + i += packet->payload[i] & 0x80 ? packet->payload[i] & 0x7F : 0; /* skip SEQUENCE length */ + i++; + + while(i < packet->payload_packet_len) { + if(packet->payload[i] == 0x82) { + if((i < (packet->payload_packet_len - 1)) + && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) { + u_int8_t len = packet->payload[i + 1]; + char dNSName[256]; + int rc; + + i += 2; + + strncpy(dNSName, (const char*)&packet->payload[i], len); + dNSName[len] = '\0'; - if(offset >= (packet->payload_packet_len+4)) break; + cleanupServerName(dNSName, len); - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); + rc = snprintf(&servernames[servernames_len], sizeof(servernames)-servernames_len, "%s%s", + (servernames_len == 0) ? "" : ",", dNSName); - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + if(rc > 0) + servernames_len += rc; -#ifdef DEBUG_TLS - printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", - extension_id, extension_id, extension_len); +#if DEBUG_TLS + printf("[TLS] dNSName %s [%s]\n", dNSName, servernames); #endif - if(extension_id == 43 /* supported versions */) { - if(extension_len >= 2) { - u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); - -#ifdef DEBUG_TLS - printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); -#endif - - flow->protos.stun_ssl.ssl.ssl_version = tls_version; + if(flow->protos.stun_ssl.ssl.server_names == NULL) + flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), + flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); + else { + u_int16_t dNSName_len = strlen(dNSName); + u_int16_t newstr_len = flow->protos.stun_ssl.ssl.server_names_len + dNSName_len + 1; + char *newstr = (char*)ndpi_realloc(flow->protos.stun_ssl.ssl.server_names, + flow->protos.stun_ssl.ssl.server_names_len+1, newstr_len+1); + + if(newstr) { + flow->protos.stun_ssl.ssl.server_names = newstr; + flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ','; + strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1], + dNSName, dNSName_len+1); + flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0'; + flow->protos.stun_ssl.ssl.server_names_len = newstr_len; } } + + if(!flow->l4.tcp.tls.subprotocol_detected) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, len)) + flow->l4.tcp.tls.subprotocol_detected = 1; - i += 4 + extension_len, offset += 4 + extension_len; + i += len; + } else { +#if DEBUG_TLS + printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); +#endif + break; } + } else { + break; + } + } /* while */ + } + } +} - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); +/* **************************************** */ - for(i=0; i<ja3.num_cipher; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); +/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ +int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + u_int16_t certificates_offset = 7; + u_int8_t num_certificates_found = 0; + +#ifdef DEBUG_TLS + printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n", + __FUNCTION__, packet->payload_packet_len, + packet->packet_direction, + packet->payload[0], packet->payload[1], packet->payload[2], + packet->payload[3], packet->payload[4], packet->payload[5]); +#endif - if(rc <= 0) break; else ja3_str_len += rc; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ + if(packet->payload_packet_len != (length + 4)) + return(-1); /* Invalid length */ - for(i=0; i<ja3.num_tls_extension; i++) { - int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); + certificates_length = (packet->payload[4] << 16) + (packet->payload[5] << 8) + packet->payload[6]; + + if((certificates_length+3) != length) + return(-2); /* Invalid length */ + + if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL) + return(-3); /* Not enough memory */ - if(rc <= 0) break; else ja3_str_len += rc; - } - -#ifdef DEBUG_TLS - printf("TLS [server] %s\n", ja3_str); -#endif + /* Now let's process each individual certificates */ + while(certificates_offset < certificates_length) { + u_int16_t certificate_len = (packet->payload[certificates_offset] << 16) + (packet->payload[certificates_offset+1] << 8) + packet->payload[certificates_offset+2]; + certificates_offset += 3; #ifdef DEBUG_TLS - printf("[JA3] Server: %s \n", ja3_str); + printf("[TLS] Processing %u bytes certificate [%02X %02X %02X]\n", + certificate_len, + packet->payload[certificates_offset], + packet->payload[certificates_offset+1], + packet->payload[certificates_offset+2]); #endif - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - ndpi_MD5Final(md5_hash, &ctx); + if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ { + /* For SHA-1 we take into account only the first certificate and not all of them */ + + SHA1Init(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + +#ifdef DEBUG_CERTIFICATE_HASH + { + int i; + + for(i=0;i<certificate_len;i++) + printf("%02X ", packet->payload[certificates_offset+i]); + + printf("\n"); + } +#endif + + SHA1Update(flow->l4.tcp.tls.srv_cert_fingerprint_ctx, + &packet->payload[certificates_offset], + certificate_len); + + SHA1Final(flow->l4.tcp.tls.sha1_certificate_fingerprint, flow->l4.tcp.tls.srv_cert_fingerprint_ctx); - for(i=0, j=0; i<16; i++) { - int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); - if(rc <= 0) break; else j += rc; - } - + flow->l4.tcp.tls.fingerprint_set = 1; + #ifdef DEBUG_TLS - printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); + { + int i; + + printf("[TLS] SHA-1: "); + for(i=0;i<20;i++) + printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls.sha1_certificate_fingerprint[i]); + printf("\n"); + } #endif - flow->l4.tcp.tls_seen_server_cert = 1; - } else - flow->l4.tcp.tls_seen_certificate = 1; + processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len); + } + + certificates_offset += certificate_len; + } + + flow->extra_packets_func = NULL; /* We're good now */ + return(1); +} - /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - for(i = 9; i < packet->payload_packet_len-3; i++) { - if(((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x0c)) - || ((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x13)) - || ((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03))) { - u_int8_t server_len, off = 0; +/* **************************************** */ - if(packet->payload[i] == 0x55) { - num_found++, off++; +static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + switch(packet->payload[0] /* block type */) { + case 0x01: /* Client Hello */ + case 0x02: /* Server Hello */ + processClientServerHello(ndpi_struct, flow); + flow->l4.tcp.tls.hello_processed = 1; + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + break; + + case 0x0b: /* Certificate */ + processCertificate(ndpi_struct, flow); + flow->l4.tcp.tls.certificate_processed = 1; + break; - if(num_found != 2) continue; - } + default: + return(-1); + } - server_len = packet->payload[i+3+off]; - - if((server_len+i+3) < packet->payload_packet_len) { - char *server_name = (char*)&packet->payload[i+4+off]; - u_int8_t begin = 0, len, j, num_dots; - - while(begin < server_len) { - if(!ndpi_isprint(server_name[begin])) - begin++; - else - break; - } + return(0); +} - len = ndpi_min(server_len-begin, buffer_len-1); - // len = buffer_len-1; - - strncpy(buffer, &server_name[begin], len); - buffer[len] = '\0'; - - // if(len != (buffer_len-1)) printf("len=%u / buffer_len-1=%u\n", len, buffer_len-1); - - /* We now have to check if this looks like an IP address or host name */ - for(j=0, num_dots = 0; j<len; j++) { - if(!ndpi_isprint((buffer[j]))) { - num_dots = 0; /* This is not what we look for */ - break; - } else if(buffer[j] == '.') { - num_dots++; - if(num_dots >=1) break; - } - } +/* **************************************** */ - if(num_dots >= 1) { - if(!ndpi_struct->disable_metadata_export) { - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - - stripCertificateTrailer(buffer, buffer_len); - snprintf(flow->protos.stun_ssl.ssl.server_certificate, - sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); - -#ifdef DEBUG_TLS - printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); +static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + int rc = 1; + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] ndpi_search_tls_tcp() [payload_packet_len: %u]\n", + packet->payload_packet_len); #endif - - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, - flow->protos.stun_ssl.ssl.server_certificate, - strlen(flow->protos.stun_ssl.ssl.server_certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); - } - return(1 /* Server Certificate */); - } - } - } - } - } else if(handshake_protocol == 0x01 /* Client Hello */) { - u_int offset; + if(packet->payload_packet_len == 0) + return(1); /* Keep working */ -#ifdef DEBUG_TLS - printf("[base_offset: %u][payload_packet_len: %u]\n", base_offset, packet->payload_packet_len); + ndpi_search_tls_tcp_memory(ndpi_struct, flow); + + while(1) { + u_int16_t len, p_len; + const u_int8_t *p; + + if(flow->l4.tcp.tls.message.buffer_used < 5) + return(1); /* Keep working */ + + len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5; + + if(len > flow->l4.tcp.tls.message.buffer_used) { +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Not enough TLS data [%u < %u][%02X %02X %02X %02X %02X]\n", + len, flow->l4.tcp.tls.message.buffer_used, + flow->l4.tcp.tls.message.buffer[0], + flow->l4.tcp.tls.message.buffer[1], + flow->l4.tcp.tls.message.buffer[2], + flow->l4.tcp.tls.message.buffer[3], + flow->l4.tcp.tls.message.buffer[4]); #endif + break; + } - if(base_offset + 2 <= packet->payload_packet_len) { - u_int16_t session_id_len; - u_int16_t tls_version; +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Processing %u bytes message\n", len); +#endif - if(packet->tcp) - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); - else - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); + /* Overwriting packet payload */ + p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ - session_id_len = packet->payload[base_offset]; + /* Split the element in blocks */ + u_int16_t processed = 5; + + while((processed+4) < len) { + const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed]; + u_int16_t block_len = (block[1] << 16) + (block[2] << 8) + block[3]; - ja3.tls_handshake_version = tls_version; + packet->payload = block, packet->payload_packet_len = block_len+4; - if((session_id_len+base_offset+2) <= total_len) { - u_int16_t cipher_len, cipher_offset; + if((processed+packet->payload_packet_len) > len) + break; + +#ifdef DEBUG_TLS_MEMORY + printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n", + packet->payload_packet_len, + packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]); +#endif - if(packet->tcp) { - cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); - cipher_offset = base_offset + session_id_len + 3; - } else { - cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); - cipher_offset = base_offset+4; - } -#ifdef DEBUG_TLS - printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); + processTLSBlock(ndpi_struct, flow); + processed += packet->payload_packet_len; + } + + packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ + flow->l4.tcp.tls.message.buffer_used -= len; + + memmove(flow->l4.tcp.tls.message.buffer, + &flow->l4.tcp.tls.message.buffer[len], + flow->l4.tcp.tls.message.buffer_used); + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Left memory buffer %u bytes\n", flow->l4.tcp.tls.message.buffer_used); #endif + } + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Returning %u\n", rc); +#endif + + return(rc); +} - if((cipher_offset+cipher_len) <= total_len) { - for(i=0; i<cipher_len;) { - u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; +/* **************************************** */ +static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t handshake_type; + u_int32_t handshake_len; + u_int16_t p_len; + const u_int8_t *p; + #ifdef DEBUG_TLS - printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); + printf("[TLS] %s()\n", __FUNCTION__); #endif - if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { - /* - Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] - https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 - */ - - if(ja3.num_cipher < MAX_NUM_JA3) - ja3.cipher[ja3.num_cipher++] = ntohs(*id); - else { - invalid_ja3 = 1; + + /* Consider only specific SSL packets (handshake) */ + if((packet->payload_packet_len < 17) + || (packet->payload[0] != 0x16) + || (packet->payload[1] != 0xfe) /* We ignore old DTLS versions */ + || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd)) + || ((ntohs(*((u_int16_t*)&packet->payload[11]))+13) != packet->payload_packet_len) + ) { + no_dtls: + #ifdef DEBUG_TLS - printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); + printf("[TLS] No DTLS found\n"); #endif - } - } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return(0); /* Giveup */ + } - i += 2; - } - } else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); -#endif - } + handshake_type = packet->payload[13]; + handshake_len = (packet->payload[14] << 16) + (packet->payload[15] << 8) + packet->payload[16]; - offset = base_offset + session_id_len + cipher_len + 2; + if((handshake_len+25) != packet->payload_packet_len) + goto no_dtls; + + /* Overwriting packet payload */ + p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ + packet->payload = &packet->payload[13], packet->payload_packet_len -= 13; - flow->l4.tcp.tls_seen_client_cert = 1; + processTLSBlock(ndpi_struct, flow); + + packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ + + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + return(1); /* Keep working */ +} - if(offset < total_len) { - u_int16_t compression_len; - u_int16_t extensions_len; +/* **************************************** */ - offset += packet->tcp ? 1 : 2; - compression_len = packet->payload[offset]; - offset++; +static void tlsInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; -#ifdef DEBUG_TLS - printf("Client SSL [compression_len: %u]\n", compression_len); + /* At most 12 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 12; + flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp; +} + +/* **************************************** */ + +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol) { +#if DEBUG_TLS + printf("[TLS] %s()\n", __FUNCTION__); #endif - // offset += compression_len + 3; - offset += compression_len; + if((flow->detected_protocol_stack[0] == protocol) + || (flow->detected_protocol_stack[1] == protocol)) { + if(!flow->check_extra_packets) + tlsInitExtraPacketProcessing(flow); + return; + } + + if(protocol != NDPI_PROTOCOL_TLS) + ; + else + protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); - if(offset < total_len) { - extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - offset += 2; + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + tlsInitExtraPacketProcessing(flow); +} -#ifdef DEBUG_TLS - printf("Client SSL [extensions_len: %u]\n", extensions_len); -#endif +/* **************************************** */ - if((extensions_len+offset) <= total_len) { - /* Move to the first extension - Type is u_int to avoid possible overflow on extension_len addition */ - u_int extension_offset = 0; - u_int32_t j; +/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - while(extension_offset < extensions_len) { - u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; +#define JA3_STR_LEN 1024 +#define MAX_NUM_JA3 128 - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; +struct ja3_info { + u_int16_t tls_handshake_version; + u_int16_t num_cipher, cipher[MAX_NUM_JA3]; + u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; + u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; +}; - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; +/* **************************************** */ +int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + struct ja3_info ja3; + u_int8_t invalid_ja3 = 0; + u_int16_t tls_version, ja3_str_len; + char ja3_str[JA3_STR_LEN]; + ndpi_MD5_CTX ctx; + u_char md5_hash[16]; + int i; + u_int16_t total_len; + u_int8_t handshake_type; + char buffer[64] = { '\0' }; + #ifdef DEBUG_TLS - printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); + printf("SSL %s() called\n", __FUNCTION__); #endif - if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { - /* Skip GREASE */ + memset(&ja3, 0, sizeof(ja3)); - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; - else { - invalid_ja3 = 1; + handshake_type = packet->payload[0]; + total_len = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + + if(total_len > packet->payload_packet_len) + return(0); /* Not found */ + + total_len = packet->payload_packet_len; + + /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ + if(total_len > 4) { + u_int16_t base_offset = packet->tcp ? 38 : 46; + u_int16_t version_offset = packet->tcp ? 4 : 12; + u_int16_t offset = 38, extension_len, j; + u_int8_t session_id_len = packet->tcp ? packet->payload[offset] : packet->payload[46]; + #ifdef DEBUG_TLS - printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); + printf("SSL [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); #endif - } - } - - if(extension_id == 0 /* server name */) { - u_int16_t len; - - len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; - len = (u_int)ndpi_min(len, buffer_len-1); - - if((offset+extension_offset+5+len) < packet->payload_packet_len) { - strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); - buffer[len] = '\0'; - - stripCertificateTrailer(buffer, buffer_len); - - if(!ndpi_struct->disable_metadata_export) { - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); - } - } - } else if(extension_id == 10 /* supported groups */) { - u_int16_t s_offset = offset+extension_offset + 2; + tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); + flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; + + if(handshake_type == 0x02 /* Server Hello */) { + int i, rc; + #ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); + printf("SSL Server Hello [version: 0x%04X]\n", tls_version); #endif - if((s_offset+extension_len-2) <= total_len) { - for(i=0; i<extension_len-2;) { - u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); + /* + The server hello decides about the SSL version of this flow + https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 + */ + if(packet->udp) + offset += 1; + else { + if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) + offset += session_id_len+1; + } -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); -#endif - if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { - /* Skip GREASE */ - if(ja3.num_elliptic_curve < MAX_NUM_JA3) - ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); -#endif - } - } + ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); + flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; - i += 2; - } - } else { - invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); + printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); #endif - } - } else if(extension_id == 11 /* ec_point_formats groups */) { - u_int16_t s_offset = offset+extension_offset + 1; -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); -#endif - if((s_offset+extension_len) < total_len) { - for(i=0; i<extension_len-1;i++) { - u_int8_t s_group = packet->payload[s_offset+i]; + offset += 2 + 1; -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); -#endif + if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + else + extension_len = 0; - if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) - ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; - else { - invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); + printf("TLS [server][extension_len: %u]\n", extension_len); #endif - } - } - } else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); -#endif - } - } else if(extension_id == 43 /* supported versions */) { - u_int8_t version_len = packet->payload[offset+4]; - - if(version_len == (extension_len-1)) { -#ifdef DEBUG_TLS - u_int8_t j; - - for(j=0; j<version_len; j += 2) { - u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+5+j])); - - printf("Client SSL [TLS version: 0x%04X]\n", tls_version); - } -#endif - } - } + offset += 2; - extension_offset += extension_len; + for(i=0; i<extension_len; ) { + u_int16_t extension_id, extension_len; -#ifdef DEBUG_TLS - printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); -#endif - } /* while */ - - if(!invalid_ja3) { - int rc; - - compute_ja3c: - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); - - for(i=0; i<ja3.num_cipher; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.cipher[i]); - if(rc > 0) ja3_str_len += rc; else break; - } + if(offset >= (packet->payload_packet_len+4)) break; - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); - for(i=0; i<ja3.num_tls_extension; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.tls_extension[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ - - for(i=0; i<ja3.num_elliptic_curve; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.elliptic_curve[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); - if(rc > 0) ja3_str_len += rc; else break; - } + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; #ifdef DEBUG_TLS - printf("[JA3] Client: %s \n", ja3_str); + printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", + extension_id, extension_id, extension_len); #endif - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - ndpi_MD5Final(md5_hash, &ctx); + if(extension_id == 43 /* supported versions */) { + if(extension_len >= 2) { + u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); - for(i=0, j=0; i<16; i++) { - rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", - md5_hash[i]); - if(rc > 0) j += rc; else break; - } #ifdef DEBUG_TLS - printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); + printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); #endif - } - return(2 /* Client Certificate */); - } - } else if(offset == total_len) { - /* SSL does not have extensions etc */ - goto compute_ja3c; - } - } + flow->protos.stun_ssl.ssl.ssl_version = tls_version; } } + + i += 4 + extension_len, offset += 4 + extension_len; } - } - } - return(0); /* Not found */ -} + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); -/* **************************************** */ + for(i=0; i<ja3.num_cipher; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); -/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ -int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t multiple_messages; + if(rc <= 0) break; else ja3_str_len += rc; + } - if(flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(0); /* We're good */ - -#ifdef DEBUG_TLS - printf("=>> [TLS] %s() [tls_record_offset=%d][payload_packet_len=%u][direction: %u][%02X %02X %02X...]\n", - __FUNCTION__, flow->l4.tcp.tls_record_offset, packet->payload_packet_len, - packet->packet_direction, - packet->payload[0], packet->payload[1], packet->payload[2]); -#endif - - if((packet->packet_direction == 0) /* Client -> Server */ - || (packet->payload_packet_len == 0)) - return(1); /* More packets please */ - else if(flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(0); /* We're good */ - - if(packet->payload_packet_len <= flow->l4.tcp.tls_record_offset) { - /* Avoid invalid memory accesses */ - return(1); - } + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - if(flow->l4.tcp.tls_fingerprint_len > 0) { - unsigned int avail = packet->payload_packet_len - flow->l4.tcp.tls_record_offset; + /* ********** */ - if(avail > flow->l4.tcp.tls_fingerprint_len) - avail = flow->l4.tcp.tls_fingerprint_len; + for(i=0; i<ja3.num_tls_extension; i++) { + int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate record [%02X %02X %02X...][missing: %u][offset: %u][avail: %u] (B)\n", - packet->payload[flow->l4.tcp.tls_record_offset], - packet->payload[flow->l4.tcp.tls_record_offset+1], - packet->payload[flow->l4.tcp.tls_record_offset+2], - flow->l4.tcp.tls_fingerprint_len, flow->l4.tcp.tls_record_offset, avail - ); -#endif - -#ifdef DEBUG_CERTIFICATE_HASH - for(i=0;i<avail;i++) - printf("%02X ", packet->payload[flow->l4.tcp.tls_record_offset+i]); - printf("\n"); -#endif - - SHA1Update(flow->l4.tcp.tls_srv_cert_fingerprint_ctx, - &packet->payload[flow->l4.tcp.tls_record_offset], - avail); - - flow->l4.tcp.tls_fingerprint_len -= avail; - - if(flow->l4.tcp.tls_fingerprint_len == 0) { - SHA1Final(flow->l4.tcp.tls_sha1_certificate_fingerprint, flow->l4.tcp.tls_srv_cert_fingerprint_ctx); + if(rc <= 0) break; else ja3_str_len += rc; + } #ifdef DEBUG_TLS - { - int i; - - printf("=>> [TLS] SHA-1: "); - for(i=0;i<20;i++) - printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls_sha1_certificate_fingerprint[i]); - printf("\n"); - } + printf("TLS [server] %s\n", ja3_str); #endif - - flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1; - return(0); /* We're good */ - } else { - flow->l4.tcp.tls_record_offset = 0; + #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate record: still missing %u bytes\n", flow->l4.tcp.tls_fingerprint_len); + printf("[JA3] Server: %s \n", ja3_str); #endif - return(1); /* More packets please */ - } - } - if(packet->payload[flow->l4.tcp.tls_record_offset] == 0x15 /* Alert */) { - u_int len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+3]) + 5 /* SSL header len */; + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); - if(len < 10 /* Sanity check */) { - if((flow->l4.tcp.tls_record_offset+len) < packet->payload_packet_len) - flow->l4.tcp.tls_record_offset += len; - } else - goto invalid_len; - } - - multiple_messages = (packet->payload[flow->l4.tcp.tls_record_offset] == 0x16 /* Handshake */) ? 0 : 1; + for(i=0, j=0; i<16; i++) { + int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); + if(rc <= 0) break; else j += rc; + } #ifdef DEBUG_TLS - printf("=>> [TLS] [multiple_messages: %d]\n", multiple_messages); -#endif - - if((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset] != 0x16 /* Handshake */)) - return(1); - else if(((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset+5] == 0xb) /* Certificate */) - || (packet->payload[flow->l4.tcp.tls_record_offset] == 0xb) /* Certificate */) { - /* TODO: Do not take into account all certificates but only the first one */ + printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); +#endif + } else if(handshake_type == 0x01 /* Client Hello */) { + u_int16_t cipher_len, cipher_offset; + + if(packet->tcp) { + cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); + cipher_offset = base_offset + session_id_len + 3; + } else { + cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); + cipher_offset = base_offset+4; + } + #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate found\n"); + printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); #endif - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx == NULL) - flow->l4.tcp.tls_srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX)); - else { -#ifdef DEBUG_TLS - printf("[TLS] Internal error: double allocation\n:"); -#endif - } - - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) { - SHA1Init(flow->l4.tcp.tls_srv_cert_fingerprint_ctx); - flow->l4.tcp.tls_srv_cert_fingerprint_found = 1; - flow->l4.tcp.tls_record_offset += (!multiple_messages) ? 13 : 8; - flow->l4.tcp.tls_fingerprint_len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset]); - flow->l4.tcp.tls_record_offset = flow->l4.tcp.tls_record_offset+2; + if((cipher_offset+cipher_len) <= total_len) { + for(i=0; i<cipher_len;) { + u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; + #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate [total certificate len: %u][certificate initial offset: %u]\n", - flow->l4.tcp.tls_fingerprint_len, flow->l4.tcp.tls_record_offset); + printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); #endif - return(getSSCertificateFingerprint(ndpi_struct, flow)); - } else - return(0); /* That's all */ - } else if(flow->l4.tcp.tls_seen_certificate) - return(0); /* That's all */ - else if(packet->payload_packet_len > flow->l4.tcp.tls_record_offset+7+1/* +1 because we are going to read 2 bytes */) { - /* This is a handshake but not a certificate record */ - u_int16_t len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+7]); - + if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { + /* + Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] + https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 + */ + + if(ja3.num_cipher < MAX_NUM_JA3) + ja3.cipher[ja3.num_cipher++] = ntohs(*id); + else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("=>> [TLS] Found record %02X [len: %u]\n", - packet->payload[flow->l4.tcp.tls_record_offset+5], len); + printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); #endif + } + } - if(len > 4096) { - invalid_len: - /* This looks an invalid len: we giveup */ - flow->l4.tcp.tls_record_offset = 0, flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1; + i += 2; + } + } else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("=>> [TLS] Invalid fingerprint processing %u <-> %u\n", - ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); + printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); #endif - return(0); - } else { - flow->l4.tcp.tls_record_offset += len + 9; - - if(flow->l4.tcp.tls_record_offset < packet->payload_packet_len) - return(getSSCertificateFingerprint(ndpi_struct, flow)); - else { - flow->l4.tcp.tls_record_offset -= packet->payload_packet_len; } - } - } - - flow->extra_packets_func = NULL; /* We're good now */ - return(1); -} -/* **************************************** */ + offset = base_offset + session_id_len + cipher_len + 2; -/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ -void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *buffer, int buffer_len) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t total_len; - u_int8_t handshake_protocol; - - if(packet->payload[0] != 0x16 /* Handshake */) - return; + if(offset < total_len) { + u_int16_t compression_len; + u_int16_t extensions_len; - total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */; - handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - - if((handshake_protocol != 0x02) - && (handshake_protocol != 0xb) /* Server Hello and Certificate message types are interesting for us */) - return; + offset += packet->tcp ? 1 : 2; + compression_len = packet->payload[offset]; + offset++; #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate [total_len: %u/%u]\n", ntohs(*(u_int16_t*)&packet->payload[3]), total_len); + printf("Client SSL [compression_len: %u]\n", compression_len); #endif - - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; - memset(buffer, 0, buffer_len); + // offset += compression_len + 3; + offset += compression_len; - /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - u_int num_found = 0; - u_int i, j; - for(i = 9; i < packet->payload_packet_len-4; i++) { - /* Organization OID: 2.5.4.10 */ - if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { - u_int8_t server_len = packet->payload[i+4]; + if(offset < total_len) { + extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + offset += 2; - num_found++; - /* what we want is subject certificate, so we bypass the issuer certificate */ - if(num_found != 2) continue; +#ifdef DEBUG_TLS + printf("Client SSL [extensions_len: %u]\n", extensions_len); +#endif - // packet is truncated... further inspection is not needed - if(i+4+server_len >= packet->payload_packet_len) { - break; - } + if((extensions_len+offset) <= total_len) { + /* Move to the first extension + Type is u_int to avoid possible overflow on extension_len addition */ + u_int extension_offset = 0; + u_int32_t j; - char *server_org = (char*)&packet->payload[i+5]; + while(extension_offset < extensions_len) { + u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; - u_int len = (u_int)ndpi_min(server_len, buffer_len-1); - strncpy(buffer, server_org, len); - buffer[len] = '\0'; + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; - // check if organization string are all printable - u_int8_t is_printable = 1; - for (j = 0; j < len; j++) { - if(!ndpi_isprint(buffer[j])) { - is_printable = 0; - break; - } - } + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; - if(is_printable == 1) { - snprintf(flow->protos.stun_ssl.ssl.server_organization, - sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); #ifdef DEBUG_TLS - printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); + printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); #endif - } - } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) { - u_int8_t len = packet->payload[i+3]; - u_int offset = i+4; - if((offset+len) < packet->payload_packet_len) { - char utcDate[32]; + if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { + /* Skip GREASE */ + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("[CERTIFICATE] notBefore [len: %u][", len); - for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); - printf("]\n"); + printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); #endif + } + } - if(len < (sizeof(utcDate)-1)) { - struct tm utc; - utc.tm_isdst = -1; /* Not set by strptime */ - - strncpy(utcDate, (const char*)&packet->payload[i+4], len); - utcDate[len] = '\0'; + if(extension_id == 0 /* server name */) { + u_int16_t len; - /* 141021000000Z */ - if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { - flow->protos.stun_ssl.ssl.notBefore = timegm(&utc); #ifdef DEBUG_TLS - printf("[CERTIFICATE] notBefore %u [%s]\n", - flow->protos.stun_ssl.ssl.notBefore, utcDate); + printf("[TLS] Extensions: found server name\n"); #endif - } - } - offset += len; + len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; + len = (u_int)ndpi_min(len, sizeof(buffer)-1); - if((offset+1) < packet->payload_packet_len) { - len = packet->payload[offset+1]; + if((offset+extension_offset+5+len) < packet->payload_packet_len) { + strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); + buffer[len] = '\0'; - offset += 2; + cleanupServerName(buffer, sizeof(buffer)); - if((offset+len) < packet->payload_packet_len) { + snprintf(flow->protos.stun_ssl.ssl.client_requested_server_name, + sizeof(flow->protos.stun_ssl.ssl.client_requested_server_name), + "%s", buffer); + + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) + flow->l4.tcp.tls.subprotocol_detected = 1; + } else { #ifdef DEBUG_TLS - printf("[CERTIFICATE] notAfter [len: %u][", len); - for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); - printf("]\n"); + printf("[TLS] Extensions server len too short: %u vs %u\n", + offset+extension_offset+5+len, + packet->payload_packet_len); #endif + } + } else if(extension_id == 10 /* supported groups */) { + u_int16_t s_offset = offset+extension_offset + 2; - if(len < (sizeof(utcDate)-1)) { - struct tm utc; - utc.tm_isdst = -1; /* Not set by strptime */ - - strncpy(utcDate, (const char*)&packet->payload[offset], len); - utcDate[len] = '\0'; - - /* 141021000000Z */ - if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { - flow->protos.stun_ssl.ssl.notAfter = timegm(&utc); #ifdef DEBUG_TLS - printf("[CERTIFICATE] notAfter %u [%s]\n", - flow->protos.stun_ssl.ssl.notAfter, utcDate); + printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); #endif - } - } - } - } - } - } - } -} - -/* **************************************** */ - -int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - int rc = 1; - - if(packet->tcp) { - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - getSSCertificateFingerprint(ndpi_struct, flow); - } - -#if 1 - /* consider only specific SSL packets (handshake) */ - if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { - char certificate[64]; - int rc; - - certificate[0] = '\0'; - rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->tls_certificate_num_checks++; - if(rc > 0) { - char organization[64]; + if((s_offset+extension_len-2) <= total_len) { + for(i=0; i<extension_len-2;) { + u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); - // try fetch server organization once server certificate is found - organization[0] = '\0'; - getSSLorganization(ndpi_struct, flow, organization, sizeof(organization)); - - packet->tls_certificate_detected++; -#if 0 - if((flow->l4.tcp.tls_seen_server_cert == 1) - && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) - /* 0 means we've done processing extra packets (since we found what we wanted) */ - return 0; +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif - } - - if(flow->l4.tcp.tls_record_offset == 0) { - /* Client hello, Server Hello, and certificate packets probably all checked in this case */ - if(((packet->tls_certificate_num_checks >= 3) - && (flow->l4.tcp.seen_syn) - && (flow->l4.tcp.seen_syn_ack) - && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed) - /* || (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') */ - ) { - /* We're done processing extra packets since we've probably checked all possible cert packets */ - return(rc); - } - } - } + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { + /* Skip GREASE */ + if(ja3.num_elliptic_curve < MAX_NUM_JA3) + ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); #endif - - /* 1 means keep looking for more packets */ - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) rc = 1; - return(rc); -} - -/* **************************************** */ - -int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t skip_cert_processing) { - struct ndpi_packet_struct *packet = &flow->packet; - - if((!skip_cert_processing) && packet->tcp) { - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - getSSCertificateFingerprint(ndpi_struct, flow); - } - - if((packet->payload_packet_len > 9) - && (packet->payload[0] == 0x16 /* consider only specific SSL packets (handshake) */)) { - if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)) { - char certificate[64]; - int rc; - - certificate[0] = '\0'; - rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->tls_certificate_num_checks++; + } + } - if(rc > 0) { - packet->tls_certificate_detected++; + i += 2; + } + } else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); + printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); #endif - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - - if(certificate[0] == '\0') - subproto = NDPI_PROTOCOL_UNKNOWN; - else - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, - strlen(certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) { - /* If we've detected the subprotocol from client certificate but haven't had a chance - * to see the server certificate yet, set up extra packet processing to wait - * a few more packets. */ - if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) - && ((flow->l4.tcp.tls_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) { - sslInitExtraPacketProcessing(flow); - } - - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_tls_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS)); - return(rc); - } - - if(ndpi_is_tls_tor(ndpi_struct, flow, certificate) != 0) - return(rc); - } + } + } else if(extension_id == 11 /* ec_point_formats groups */) { + u_int16_t s_offset = offset+extension_offset + 1; #ifdef DEBUG_TLS - printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", - __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, - packet->tls_certificate_detected, - flow->l4.tcp.tls_seen_client_cert, - flow->l4.tcp.tls_seen_server_cert - ); + printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); #endif + if((s_offset+extension_len) < total_len) { + for(i=0; i<extension_len-1;i++) { + u_int8_t s_group = packet->payload[s_offset+i]; - - if(((packet->tls_certificate_num_checks >= 1) -#if 0 - && (flow->l4.tcp.seen_syn /* User || to be tolerant */ - || flow->l4.tcp.seen_syn_ack - || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); #endif - && (flow->l4.tcp.tls_srv_cert_fingerprint_processed - || flow->l4.tcp.tls_seen_client_cert - || flow->l4.tcp.tls_seen_server_cert - || packet->tls_certificate_detected) - ) - /* - || ((flow->l4.tcp.tls_seen_certificate == 1) - && (flow->l4.tcp.tls_seen_server_cert == 1) - && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) - */ - /* || ((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */ - ) { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } - } - - return(0); -} - -/* **************************************** */ - -static void tls_mark_and_payload_search(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t skip_cert_processing) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t a; - u_int32_t end; + if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) + ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; + else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("[TLS] %s()\n", __FUNCTION__); + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); #endif - - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) - goto check_for_tls_payload; - - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) - goto check_for_tls_payload; - else - goto no_check_for_tls_payload; - - check_for_tls_payload: - end = packet->payload_packet_len - 20; - for (a = 5; a < end; a++) { - - if(packet->payload[a] == 't') { - if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK - (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) { - NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); - return; - } - } - } + } + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); +#endif + } + } else if(extension_id == 43 /* supported versions */) { + u_int8_t version_len = packet->payload[offset+4]; - if(packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' - || packet->payload[a] == 'h') { - if(((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) - // || (end - c > 3 memcmp (&packet->payload[c],"AOL", 3) == 0 ) - // || (end - c > 7 && memcmp (&packet->payload[c], "AOL LLC", 7) == 0) - || ((a + 15) < packet->payload_packet_len && memcmp(&packet->payload[a], "kdc.uas.aol.com", 15) == 0) - || ((a + 14) < packet->payload_packet_len && memcmp(&packet->payload[a], "corehc@aol.net", 14) == 0) - || ((a + 41) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://crl.aol.com/AOLMSPKI/aolServerCert", 41) == 0) - || ((a + 28) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0) - || ((a + 32) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - - if(flow->dst != NULL && packet->payload_packet_len > 75) { - memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32); - flow->dst->oscar_ssl_session_id[32] = '\0'; - flow->dst->oscar_last_safe_access_time = packet->tick_timestamp; - } + if(version_len == (extension_len-1)) { +#ifdef DEBUG_TLS + u_int8_t j; - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); - return; - } - } + for(j=0; j<version_len; j += 2) { + u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+5+j])); - if(packet->payload[a] == 'm' || packet->payload[a] == 's') { - if((a + 21) < packet->payload_packet_len && - (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 - || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { - NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); - return; - } - } - } + printf("Client SSL [TLS version: 0x%04X]\n", tls_version); + } +#endif + } + } - no_check_for_tls_payload: - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); - tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); + extension_offset += extension_len; #ifdef DEBUG_TLS - printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, - flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); + printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); #endif + } /* while */ - if(!packet->tls_certificate_detected - && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { - /* SSL without certificate (Skype, Ultrasurf?) */ - NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } else if((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.tls_srv_cert_fingerprint_processed) { - NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } -} + if(!invalid_ja3) { + int rc; -/* **************************************** */ + compute_ja3c: + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); -static u_int8_t ndpi_search_tlsv3_direction1(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + for(i=0; i<ja3.num_cipher; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.cipher[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - if((packet->payload_packet_len >= 5) - && ((packet->payload[0] == 0x16) || packet->payload[0] == 0x17) - && (packet->payload[1] == 0x03) - && ((packet->payload[2] == 0x00) || (packet->payload[2] == 0x01) || - (packet->payload[2] == 0x02) || (packet->payload[2] == 0x03))) { - u_int32_t temp; - NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n"); - // SSLv3 Record - if(packet->payload_packet_len >= 1300) { - return 1; - } - temp = ntohs(get_u_int16_t(packet->payload, 3)) + 5; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp - || (temp < packet->payload_packet_len && packet->payload_packet_len > 500)) { - return 1; - } + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - if(packet->payload_packet_len < temp && temp < 5000 && packet->payload_packet_len > 9) { - /* the server hello may be split into small packets */ - u_int32_t cert_start; + /* ********** */ - NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets\n"); + for(i=0; i<ja3.num_tls_extension; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.tls_extension[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - /* lets hope at least the server hello and the start of the certificate block are in the first packet */ - cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 4; - NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); - return 2; - } - } + /* ********** */ - if((packet->payload_packet_len > temp) && (packet->payload_packet_len > 100)) { - /* the server hello may be split into small packets and the certificate has its own SSL Record - * so temp contains only the length for the first ServerHello block */ - u_int32_t cert_start; + for(i=0; i<ja3.num_elliptic_curve; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - /* lets hope at least the server hello record and the start of the certificate record are in the first packet */ - cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 5 + 4; - NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); + for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); - return 2; - } - } +#ifdef DEBUG_TLS + printf("[JA3] Client: %s \n", ja3_str); +#endif + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); - if(packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16) - && packet->payload[temp + 1] == 0x03) { - u_int32_t temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp) { - return 1; - } - if(packet->payload_packet_len >= temp + 5 && - packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { - temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp) { - return 1; - } - if(packet->payload_packet_len >= temp + 5 && - packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { - temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(temp == packet->payload_packet_len) { - return 1; + for(i=0, j=0; i<16; i++) { + rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", + md5_hash[i]); + if(rc > 0) j += rc; else break; + } +#ifdef DEBUG_TLS + printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); +#endif + } + + return(2 /* Client Certificate */); + } else { +#ifdef DEBUG_TLS + printf("[TLS] Client: too short [%u vs %u]\n", + (extensions_len+offset), total_len); +#endif } + } else if(offset == total_len) { + /* SSL does not have extensions etc */ + goto compute_ja3c; } + } else { +#ifdef DEBUG_TLS + printf("[JA3] Client: invalid length detected\n"); +#endif } } } - - return 0; + + return(0); /* Not found */ } /* **************************************** */ -void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t ret, skip_cert_processing = 0; #ifdef DEBUG_TLS - printf("==>> %u [len: %u][version: %u]\n", + printf("==>> %s() %u [len: %u][version: %u]\n", + __FUNCTION__, flow->guessed_host_protocol_id, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ssl_version); #endif - - if(packet->udp != NULL) { - /* DTLS dissector */ - int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); - - if((rc == 0) && (flow->protos.stun_ssl.ssl.ssl_version != 0)) { - flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; - - if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { - if(ndpi_struct->stun_cache == NULL) - ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); - - if(ndpi_struct->stun_cache) { -#ifdef DEBUG_TLS - printf("[LRU] Adding Signal cached keys\n"); -#endif - - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 0), NDPI_PROTOCOL_SIGNAL); - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 1), NDPI_PROTOCOL_SIGNAL); - } - - /* In Signal protocol STUN turns into DTLS... */ - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL); - } else if(flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') { - /* Wait the server certificate the bless this flow as TLS */ - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } - return; - } - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { - if(flow->l4.tcp.tls_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) { - /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets - * so go on checking for certificate patterns for a couple more packets - */ - NDPI_LOG_DBG2(ndpi_struct, - "ssl flow but check another packet for patterns\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { - /* still ssl so check another packet */ - return; - } else { - /* protocol has changed so we are done */ - return; - } - } - - return; - } - - NDPI_LOG_DBG(ndpi_struct, "search ssl\n"); - - /* Check if this is whatsapp first (this proto runs over port 443) */ - if((packet->payload_packet_len > 5) - && ((packet->payload[0] == 'W') - && (packet->payload[1] == 'A') - && (packet->payload[4] == 0) - && (packet->payload[2] <= 9) - && (packet->payload[3] <= 9))) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - return; - } else if((packet->payload_packet_len == 4) - && (packet->payload[0] == 'W') - && (packet->payload[1] == 'A')) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - return; - } else { - /* No whatsapp, let's try SSL */ - if(tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing) > 0) - return; - else - skip_cert_processing = 1; - } - - if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 0) { - NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); - // SSLv2 Record - if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 - && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) - && (packet->payload_packet_len - packet->payload[1] == 2)) { - NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - - if(packet->payload[0] == 0x16 && packet->payload[1] == 0x03 - && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) - && (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) { - // SSLv3 Record - NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - - // Application Data pkt - if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03 - && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || - packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) { - if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) { - NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - } - } - - if(packet->payload_packet_len > 40 && - flow->l4.tcp.tls_stage == 1 + packet->packet_direction - && flow->packet_direction_counter[packet->packet_direction] < 5) { - return; - } - - if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 2 - packet->packet_direction) { - NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n"); - // SSLv2 Record - if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 - && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) - && (packet->payload_packet_len - 2) >= packet->payload[1]) { - NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - return; - } - - ret = ndpi_search_tlsv3_direction1(ndpi_struct, flow); - if(ret == 1) { - NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - return; - } else if(ret == 2) { - NDPI_LOG_DBG2(ndpi_struct, - "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) - flow->l4.tcp.tls_stage = 3; - return; - } - - if(packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { - NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); - return; - } - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - - return; + if(packet->udp != NULL) + ndpi_search_tls_udp(ndpi_struct, flow); + else + ndpi_search_tls_tcp(ndpi_struct, flow); } /* **************************************** */ diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index 6fc004228..49a63ed0a 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -64,11 +64,9 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc version[j] = '\0'; - if(!ndpi_struct->disable_metadata_export) { - len = ndpi_min(sizeof(flow->protos.ubntac2.version)-1, j); - strncpy(flow->protos.ubntac2.version, (const char *)version, len); - flow->protos.ubntac2.version[len] = '\0'; - } + len = ndpi_min(sizeof(flow->protos.ubntac2.version)-1, j); + strncpy(flow->protos.ubntac2.version, (const char *)version, len); + flow->protos.ubntac2.version[len] = '\0'; } NDPI_LOG_INFO(ndpi_struct, "UBNT AirControl 2 request\n"); diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 9a65656a8..6ccac8c77 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -40,15 +40,13 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str u_int max_len = sizeof(flow->host_server_name) - 1; u_int i, j; - if(!ndpi_struct->disable_metadata_export) { - for(i=strlen((const char *)flow->host_server_name), j=0; (i<max_len) && (j<packet->payload_packet_len); i++, j++) { - if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; - flow->host_server_name[i] = packet->payload[j]; - } - - flow->host_server_name[i] = '\0'; + for(i=strlen((const char *)flow->host_server_name), j=0; (i<max_len) && (j<packet->payload_packet_len); i++, j++) { + if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; + flow->host_server_name[i] = packet->payload[j]; } + flow->host_server_name[i] = '\0'; + flow->server_id = ((sport == 43) || (sport == 4343)) ? flow->src : flow->dst; NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name); diff --git a/tests/pcap/dtls.pcap b/tests/pcap/dtls.pcap Binary files differnew file mode 100644 index 000000000..2c2def228 --- /dev/null +++ b/tests/pcap/dtls.pcap diff --git a/tests/pcap/tls_long_cert.pcap b/tests/pcap/tls_long_cert.pcap Binary files differnew file mode 100644 index 000000000..062bf72f1 --- /dev/null +++ b/tests/pcap/tls_long_cert.pcap diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 7cede1bfa..cdfe2b1f6 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -36,11 +36,11 @@ JA3 Host Stats: 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Goodput ratio: 71.2/71.7][1.09 sec][Host: vv.video.qq.com][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 70.1/191.0 476/506 135.7/201.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 197.2/200.0 499/372 175.9/149.1][URL: vv.video.qq.com/getvinfo][StatusCode: 100][ContentType: ][UserAgent: Mozilla/5.0][PLAIN TEXT (POST /getvinfo HTTP/1.1)] 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][cat: Network/14][14 pkts/4788 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][43.01 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 412/0 3105.8/0.0 12289/0 3176.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0] 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes][Goodput ratio: 87.1/85.6][0.18 sec][bytes ratio: -0.057 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/0 60.0/44.0 176/133 82.0/54.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 512.5/459.4 1159/1464 468.4/535.8] - 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.6/72.1][20.95 sec][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 2322.6/4176.2 15252/15254 4895.4/5951.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 178.1/210.4 1067/1055 287.5/323.1][TLSv1.2][Client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.5/72.1][6.76 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 746.1/1336.2 5987/5987 1865.2/2340.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 177.7/210.4 1067/1055 287.4/323.1][TLSv1.2][Client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][Goodput ratio: 68.6/74.8][6.08 sec][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 753.4/1500.5 5998/5998 1982.3/2596.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 189.5/231.9 1067/1055 298.9/340.1][TLSv1.2][Client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.6/72.1][20.95 sec][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 2322.6/4176.2 15252/15254 4895.4/5951.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 178.1/210.4 1067/1055 287.5/323.1][TLSv1.2][Client: 192.168.115.75][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][Goodput ratio: 66.5/72.1][6.76 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 746.1/1336.2 5987/5987 1865.2/2340.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 177.7/210.4 1067/1055 287.4/323.1][TLSv1.2][Client: 192.168.115.75][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][Goodput ratio: 68.6/74.8][6.08 sec][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 753.4/1500.5 5998/5998 1982.3/2596.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 189.5/231.9 1067/1055 298.9/340.1][TLSv1.2][Client: 192.168.115.75][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Goodput ratio: 59.5/87.3][0.09 sec][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.338 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6.2/16.0 36/43 13.3/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 141.0/456.4 390/1314 143.8/511.5][URL: jp.kankan.1kxun.mobi/api/videos/10410.json][StatusCode: 200][ContentType: application/json][UserAgent: ][PLAIN TEXT (GET /api/videos/10410.j)] - 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][Goodput ratio: 66.3/63.0][8.90 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 981.8/1763.2 6000/6000 1977.8/2381.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 176.6/158.4 1051/639 283.0/188.4][TLSv1.2][Client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][Goodput ratio: 66.3/63.0][8.90 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 981.8/1763.2 6000/6000 1977.8/2381.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 176.6/158.4 1051/639 283.0/188.4][TLSv1.2][Client: 192.168.115.75][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Goodput ratio: 59.5/83.1][45.16 sec][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.024 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 5638.9/28.5 44799/53 14801.4/24.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 139.4/366.0 468/1272 164.4/523.1][URL: jp.kankan.1kxun.mobi/api/videos/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377698][StatusCode: 200][ContentType: application/x-javascript][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /api/videos/10410.j)] 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes][Goodput ratio: 67.1/77.8][0.26 sec][bytes ratio: -0.193 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 63.5/63.5 205/212 84.1/87.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.2/297.4 471/1223 139.5/462.8] 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/2450 bytes -> 0 pkts/0 bytes][Goodput ratio: 76.0/0.0][56.94 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2968/0 4488.2/0.0 17921/0 4136.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index 8682fab94..bf068cc80 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -9,8 +9,8 @@ JA3 Host Stats: 1 2001:470:1f17:13f:3e97:eff:fe73:4dec 2 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/TLS][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][Goodput ratio: 35.5/88.6][0.60 sec][bytes ratio: -0.700 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 52.8/36.3 142/142 56.7/54.5][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 165.1/934.6 629/1847 138.8/679.8][TLSv1.2][Client: mail.tomasu.net][JA3C: 812d8bce0f85487ba7834d36568ed586][Server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: 9C:00:A2:31:8F:66:C6:E2:D8:E8:1E:6F:52:49:AD:15:0A:8B:7C:68][Validity: 2014-01-29 00:00:00 - 2019-01-28 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][Goodput ratio: 72.2/76.8][0.53 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 20.1/23.5 98/97 33.1/35.6][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 383.0/468.8 1504/1911 467.5/575.9][TLSv1.2][Client: www.facebook.com][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: 93:C6:FD:1A:84:90:BB:F1:B2:3B:49:A0:9B:1F:6F:0B:46:7A:31:41][Validity: 2014-08-28 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/TLS][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][Goodput ratio: 35.5/88.6][0.60 sec][bytes ratio: -0.700 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 52.8/36.3 142/142 56.7/54.5][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 165.1/934.6 629/1847 138.8/679.8][TLSv1.2][Client: mail.tomasu.net][JA3C: 812d8bce0f85487ba7834d36568ed586][ServerNames: mail.tomasu.net,www.mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: 9C:00:A2:31:8F:66:C6:E2:D8:E8:1E:6F:52:49:AD:15:0A:8B:7C:68][Validity: 2014-01-29 00:00:00 - 2019-01-28 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][Goodput ratio: 72.2/76.8][0.53 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 20.1/23.5 98/97 33.1/35.6][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 383.0/468.8 1504/1911 467.5/575.9][TLSv1.2][Client: www.facebook.com][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][ServerNames: *.facebook.com,facebook.com,*.xz.fbcdn.net,messenger.com,fb.com,*.m.facebook.com,*.fbsbx.com,*.xy.fbcdn.net,*.messenger.com,*.fb.com,*.fbcdn.net,*.xx.fbcdn.net,*.facebook.net][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: 93:C6:FD:1A:84:90:BB:F1:B2:3B:49:A0:9B:1F:6F:0B:46:7A:31:41][Validity: 2014-08-28 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes][Goodput ratio: 40.6/40.6][22.14 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1000/992 1000.8/1000.8 1001/1012 0.4/4.2][Pkt Len c2s/s2c min/avg/max/stddev: 138/138 138.0/138.0 138/138 0.0/0.0] 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Goodput ratio: 18.0/57.0][0.82 sec][Host: mail.tomasu.net][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 163.8/56.0 495/110 170.8/54.0][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 131.0/251.5 248/680 52.4/247.4][URL: mail.tomasu.net/][StatusCode: 301][ContentType: text/html][UserAgent: Wget/1.16.3 (linux-gnu)][PLAIN TEXT (GET / HTTP/1.1)] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes][Goodput ratio: 93.7/0.0][< 1 sec][PLAIN TEXT (ds 0/u6)] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 56040e1be..2909a3160 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -13,16 +13,16 @@ JA3 Host Stats: 1 10.24.82.188 3 - 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][Goodput ratio: 71.9/84.5][0.98 sec][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.1/57.0 123/297 41.2/77.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][Goodput ratio: 68.8/86.9][0.55 sec][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/34.8 106/208 36.5/55.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 183.9/433.5 1257/1336 331.5/513.1][TLSv1.2][Client: developers.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][Goodput ratio: 73.3/87.9][0.77 sec][bytes ratio: -0.329 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 95.6/75.0 312/350 98.3/119.1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 258.4/569.2 1401/1456 416.1/539.9][TLSv1.2][Client: api.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][Goodput ratio: 59.3/78.5][10.77 sec][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][Goodput ratio: 65.7/85.4][0.86 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.3/71.2 489/365 131.0/103.2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167.2/388.7 899/1336 222.0/490.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][Goodput ratio: 57.0/78.6][28.98 sec][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2049.7/118.1 26937/448 6904.3/126.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 132.8/264.6 578/1336 133.6/439.4][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] - 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Web/5][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][Goodput ratio: 63.2/84.4][11.34 sec][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][Goodput ratio: 71.9/84.5][0.98 sec][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.1/57.0 123/297 41.2/77.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][Goodput ratio: 68.8/86.9][0.55 sec][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/34.8 106/208 36.5/55.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 183.9/433.5 1257/1336 331.5/513.1][TLSv1.2][Client: developers.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][Goodput ratio: 73.3/87.9][0.77 sec][bytes ratio: -0.329 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 95.6/75.0 312/350 98.3/119.1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 258.4/569.2 1401/1456 416.1/539.9][TLSv1.2][Client: api.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][Goodput ratio: 59.3/78.5][10.77 sec][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][Goodput ratio: 65.7/85.4][0.86 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.3/71.2 489/365 131.0/103.2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167.2/388.7 899/1336 222.0/490.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][Goodput ratio: 57.0/78.6][28.98 sec][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2049.7/118.1 26937/448 6904.3/126.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 132.8/264.6 578/1336 133.6/439.4][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] + 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Chat/9][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][Goodput ratio: 63.2/84.4][11.34 sec][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][ServerNames: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][Goodput ratio: 47.8/63.4][46.77 sec][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2833.0/4340.0 12590/13131 4126.4/4406.8][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131.2/188.3 657/274 136.4/75.5] 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][Goodput ratio: 70.9/25.0][24.52 sec][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3455.9/3426.0 12765/12806 4427.1/4479.6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193.0/74.7 303/98 122.5/20.9] - 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][Goodput ratio: 26.8/86.7][0.31 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Organization: SAMSUNG ELECTRONICS CO., LTD][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Validity: 1999-12-31 15:02:10 - 2049-12-18 15:02:10][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][Goodput ratio: 26.8/86.7][0.31 sec][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65] 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Goodput ratio: 38.3/45.1][21.97 sec][Host: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/40 114.7/101.7 264/210 105.6/76.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/104.5 243/339 73.2/104.9][URL: www.facebook.com/mobile/status.php][StatusCode: 204][ContentType: ][UserAgent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Goodput ratio: 38.3/49.5][21.81 sec][Host: www.facebook.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 43/38 5451.5/101.3 21457/215 9241.2/80.5][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/114.2 243/339 73.2/112.4][URL: www.facebook.com/mobile/status.php][StatusCode: 204][ContentType: ][UserAgent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes][Goodput ratio: 0.0/0.0][25.75 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 136/98 3845.2/3844.4 13075/13111 4718.5/4734.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 56.0/56.0 56/56 0.0/0.0] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 6efaf36b6..748a1b62a 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -15,8 +15,8 @@ JA3 Host Stats: 1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][Goodput ratio: 68.7/65.0][45.42 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 56.7/47.6 202/340 48.7/48.1][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 140.5/125.9 234/236 43.2/33.1][PLAIN TEXT (46yOXQ)] 2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][Goodput ratio: 65.0/68.8][45.02 sec][bytes ratio: -0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/0 58.3/49.1 112/476 22.7/54.4][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 125.9/141.0 236/234 33.1/43.4][PLAIN TEXT (46yOXQ)] - 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 71.7/75.9][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358.4/3527.6 20472/21237 5097.7/5912.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242.1/289.6 878/920 253.9/276.1][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][Server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64.1/73.3][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691.3/1317.3 6069/10226 1399.3/2632.2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190.4/260.4 814/920 164.3/240.9][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][Server: kakao.com][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 71.7/75.9][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358.4/3527.6 20472/21237 5097.7/5912.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242.1/289.6 878/920 253.9/276.1][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64.1/73.3][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691.3/1317.3 6069/10226 1399.3/2632.2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190.4/260.4 814/920 164.3/240.9][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Organization: Kakao][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 70.6/27.4][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 140.8/117.3 494/295 163.1/91.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195.5/78.0 735/189 228.1/34.6][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 68.8/69.0][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4202.8/4246.6 4716/5160 1130.8/719.3][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141.0/142.0 150/142 6.1/0.0] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 68.6/68.6][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266.5/3766.4 4903/4991 1244.7/1143.7][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140.2/140.2 142/142 5.7/5.7] diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index e4841247f..5e3702ed3 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -21,10 +21,10 @@ JA3 Host Stats: 1 10.0.0.227 4 - 1 TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 64.9/84.4][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/10.8 97/138 21.4/26.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189.0/425.1 1514/1514 245.6/579.0][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 2 TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 79.5/89.8][23.14 sec][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1047.6/486.8 11570/9008 2986.7/2008.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 324.6/651.7 1514/1514 493.8/646.0][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64.1/75.5][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 90.8/63.5 593/619 144.9/135.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185.3/270.7 1261/1434 259.0/387.4][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] - 4 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61.0/87.3][0.35 sec][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.8/26.1 48/88 21.3/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.2/522.5 1175/1514 273.9/624.5][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 64.9/84.4][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/10.8 97/138 21.4/26.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189.0/425.1 1514/1514 245.6/579.0][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 2 TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 79.5/89.8][23.14 sec][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1047.6/486.8 11570/9008 2986.7/2008.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 324.6/651.7 1514/1514 493.8/646.0][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64.1/75.5][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 90.8/63.5 593/619 144.9/135.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185.3/270.7 1261/1434 259.0/387.4][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Organization: Code42][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] + 4 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61.0/87.3][0.35 sec][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.8/26.1 48/88 21.3/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.2/522.5 1175/1514 273.9/624.5][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 5 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 63.8/60.8][11.47 sec][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866.5/28.1 11074/80 2946.8/34.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184.3/170.5 853/487 228.0/155.1][TLSv1.2][Client: slack.com][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 6 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 66.6/80.6][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824.1/3641.6 10081/10083 3592.5/4384.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 191.9/340.3 373/450 153.1/173.5][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][ContentType: ][UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt)] 7 TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 161/CiscoVPN][cat: VPN/2][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][Goodput ratio: 45.4/62.5][45.04 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648.5/5003.6 5001/5006 2494.5/1.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121.0/176.0 176/176 55.0/0.0] diff --git a/tests/result/dns_dot.pcap.out b/tests/result/dns_dot.pcap.out index f555047b0..0fdb72f4b 100644 --- a/tests/result/dns_dot.pcap.out +++ b/tests/result/dns_dot.pcap.out @@ -5,4 +5,4 @@ JA3 Host Stats: 1 192.168.1.185 1 - 1 TCP 192.168.1.185:58290 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Web/5][14 pkts/1480 bytes <-> 10 pkts/4389 bytes][Goodput ratio: 37.0/84.8][3.01 sec][bytes ratio: -0.496 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 269.6/181.6 1596/1192 531.3/412.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.7/438.9 264/3135 52.7/903.0][TLSv1.2][JA3C: 4fe4099926d0acdc9b2fe4b02013659f][Server: dns.google][JA3S: 2b341b88c742e940cfb485ce7d93dde7][Organization: Google LLC][Certificate SHA-1: BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53][Validity: 2017-06-15 00:00:42 - 2021-12-15 00:00:42][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] + 1 TCP 192.168.1.185:58290 <-> 8.8.8.8:853 [proto: 91.196/TLS.DoH_DoT][cat: Network/14][14 pkts/1480 bytes <-> 10 pkts/4389 bytes][Goodput ratio: 37.0/84.8][3.01 sec][bytes ratio: -0.496 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 269.6/181.6 1596/1192 531.3/412.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.7/438.9 264/3135 52.7/903.0][TLSv1.2][JA3C: 4fe4099926d0acdc9b2fe4b02013659f][ServerNames: dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google][JA3S: 2b341b88c742e940cfb485ce7d93dde7][Organization: Google LLC][Certificate SHA-1: BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53][Validity: 2019-10-10 20:58:42 - 2020-01-02 20:58:42][Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out index 1d51685ac..6877ec9e9 100644 --- a/tests/result/dnscrypt.pcap.out +++ b/tests/result/dnscrypt.pcap.out @@ -5,7 +5,7 @@ JA3 Host Stats: 1 192.168.43.167 2 - 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][Goodput ratio: 44.9/92.1][0.71 sec][bytes ratio: -0.782 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.3/19.9 114/119 43.4/33.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.3/694.3 272/1364 67.6/593.9][TLSv1.2][Client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][Goodput ratio: 50.5/89.4][0.52 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/24.9 105/106 34.0/34.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 110.4/516.1 334/1364 76.2/542.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.44 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72.5/31.5 188/124 74.3/50.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.36 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 59.5/32.5 136/140 58.9/52.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][Server: simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][Goodput ratio: 44.9/92.1][0.71 sec][bytes ratio: -0.782 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.3/19.9 114/119 43.4/33.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.3/694.3 272/1364 67.6/593.9][TLSv1.2][Client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][Goodput ratio: 50.5/89.4][0.52 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/24.9 105/106 34.0/34.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 110.4/516.1 334/1364 76.2/542.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.44 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72.5/31.5 188/124 74.3/50.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43.0/92.9][0.36 sec][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 59.5/32.5 136/140 58.9/52.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 97.5/773.5 264/1364 75.0/597.4][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/dtls.pcap.out b/tests/result/dtls.pcap.out new file mode 100644 index 000000000..16c4cf556 --- /dev/null +++ b/tests/result/dtls.pcap.out @@ -0,0 +1,8 @@ +TLS 2 394 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.13.203 1 + + + 1 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 91/TLS][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78.5/0.0][< 1 sec][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5] diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out index 043e9d33e..357bb7a09 100644 --- a/tests/result/facebook.pcap.out +++ b/tests/result/facebook.pcap.out @@ -6,4 +6,4 @@ JA3 Host Stats: 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][Goodput ratio: 52.6/93.4][0.68 sec][bytes ratio: -0.785 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.1/30.5 154/154 52.5/52.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 140.2/1004.6 583/1454 137.4/604.5][TLSv1.2][Client: www.facebook.com][JA3C: 5c60e71f1b8cd40e4d40ed5b6d666e3f][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][Goodput ratio: 55.2/84.8][1.30 sec][bytes ratio: -0.532 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 148.4/73.2 414/313 171.7/127.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 149.4/440.0 449/1454 124.6/521.5][TLSv1.2][Client: facebook.com][JA3C: bfcc1a3891601edb4f137ab7ab25b840][Server: *.facebook.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9][Validity: 2014-08-28 00:00:00 - 2016-12-30 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][Goodput ratio: 55.2/84.8][1.30 sec][bytes ratio: -0.532 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 148.4/73.2 414/313 171.7/127.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 149.4/440.0 449/1454 124.6/521.5][TLSv1.2][Client: facebook.com][JA3C: bfcc1a3891601edb4f137ab7ab25b840][ServerNames: *.facebook.com,*.facebook.net,*.fb.com,*.fbcdn.net,*.fbsbx.com,*.m.facebook.com,*.messenger.com,*.xx.fbcdn.net,*.xy.fbcdn.net,*.xz.fbcdn.net,facebook.com,fb.com,messenger.com][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9][Validity: 2014-08-28 00:00:00 - 2016-12-30 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out index 4a2aa2c90..271f80d35 100644 --- a/tests/result/google_ssl.pcap.out +++ b/tests/result/google_ssl.pcap.out @@ -1,7 +1,3 @@ Google 28 9108 1 -JA3 Host Stats: - IP Address # JA3C - - - 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/TLS.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][Goodput ratio: 42.6/91.1][6.67 sec][bytes ratio: -0.668 (Download)][IAT c2s/s2c min/avg/max/stddev: 76/66 422.0/543.8 1185/1213 375.8/401.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94.5/633.0 368/1484 86.7/622.2][TLSv1][Server: www.google.com][JA3S: 7252ecc446aba4a3e474793ae320609a (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_SHA] + 1 TCP 172.31.3.224:42835 <-> 216.58.212.100:443 [proto: 91.126/TLS.Google][cat: Web/5][16 pkts/1512 bytes <-> 12 pkts/7596 bytes][Goodput ratio: 42.6/91.1][6.67 sec][bytes ratio: -0.668 (Download)][IAT c2s/s2c min/avg/max/stddev: 76/66 422.0/543.8 1185/1213 375.8/401.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94.5/633.0 368/1484 86.7/622.2][PLAIN TEXT (@zgsiP)] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 21606f75a..48a0e99da 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -10,12 +10,12 @@ JA3 Host Stats: 1 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][cat: Web/5][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Goodput ratio: 73.6/78.2][11.12 sec][Host: www.google.it][bytes ratio: -0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 11/2 411.9/168.2 6008/1778 1177.1/366.5][Pkt Len c2s/s2c min/avg/max/stddev: 99/91 234.6/284.0 1412/1412 285.7/300.8][PLAIN TEXT (www.google.it)] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][Goodput ratio: 69.4/91.1][0.43 sec][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.6/44.3 229/290 62.1/87.8][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 283.5/970.7 919/1514 323.7/538.6][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 26.1/87.8][0.17 sec][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.4/10.8 64/27 19.3/12.4][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117.5/715.2 298/1514 67.4/607.6][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 28.0/87.8][0.12 sec][bytes ratio: -0.652 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14.8/9.0 50/23 16.2/10.3][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/715.2 298/1514 69.9/607.6][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][Goodput ratio: 28.0/89.2][0.17 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19.8/8.8 63/25 19.7/10.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/805.1 298/2754 69.9/929.1][TLSv1][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34] - 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][Goodput ratio: 36.4/89.6][0.06 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3.4/2.7 8/7 3.4/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 137.1/845.4 310/2942 82.6/1077.9][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][Server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2008-04-02 12:00:00 - 2022-04-03 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][Goodput ratio: 40.0/91.5][0.06 sec][bytes ratio: -0.651 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 11.8/5.3 43/8 15.9/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 145.7/1035.2 310/3633 86.4/1503.0][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][Server: *.ak.fbcdn.net][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2008-04-02 12:00:00 - 2022-04-03 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][Goodput ratio: 69.4/91.1][0.43 sec][bytes ratio: -0.492 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36.6/44.3 229/290 62.1/87.8][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 283.5/970.7 919/1514 323.7/538.6][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 26.1/87.8][0.17 sec][bytes ratio: -0.632 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.4/10.8 64/27 19.3/12.4][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 117.5/715.2 298/1514 67.4/607.6][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][Goodput ratio: 28.0/87.8][0.12 sec][bytes ratio: -0.652 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14.8/9.0 50/23 16.2/10.3][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/715.2 298/1514 69.9/607.6][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][Goodput ratio: 28.0/89.2][0.17 sec][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19.8/8.8 63/25 19.7/10.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 120.6/805.1 298/2754 69.9/929.1][TLSv1.2][Client: www.ntop.org][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: shop.ntop.org,www.shop.ntop.org][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34][Validity: 2015-11-15 00:00:00 - 2018-11-14 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][7 pkts/960 bytes <-> 5 pkts/4227 bytes][Goodput ratio: 36.4/89.6][0.06 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3.4/2.7 8/7 3.4/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 137.1/845.4 310/2942 82.6/1077.9][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: *.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2015-08-12 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/874 bytes <-> 4 pkts/4141 bytes][Goodput ratio: 40.0/91.5][0.06 sec][bytes ratio: -0.651 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 11.8/5.3 43/8 15.9/3.1][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 145.7/1035.2 310/3633 86.4/1503.0][TLSv1.2][Client: s-static.ak.facebook.com][JA3C: d3e627f423a33ea41841c19b8af79293][ServerNames: *.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com][JA3S: b898351eb5e266aefd3723d466935494][Organization: Facebook, Inc.][Certificate SHA-1: E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A][Validity: 2015-08-12 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/TLS][cat: Web/5][7 pkts/860 bytes <-> 7 pkts/1353 bytes][Goodput ratio: 30.0/55.5][0.12 sec][bytes ratio: -0.223 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/6.0 30/30 13.4/12.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 122.9/193.3 268/592 61.5/171.9] 9 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][cat: Web/5][2 pkts/359 bytes <-> 1 pkts/143 bytes][Goodput ratio: 65.3/56.2][0.07 sec] 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/TLS][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/86 bytes][Goodput ratio: 0.0/0.0][0.04 sec] diff --git a/tests/result/instagram.pcap.out b/tests/result/instagram.pcap.out index c038f30fc..64f0d32f0 100644 --- a/tests/result/instagram.pcap.out +++ b/tests/result/instagram.pcap.out @@ -14,18 +14,18 @@ JA3 Host Stats: 1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][103 pkts/150456 bytes <-> 47 pkts/3102 bytes][Goodput ratio: 95.5/0.0][1.71 sec][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/40.9 1246/1247 136.9/216.6][Pkt Len c2s/s2c min/avg/max/stddev: 1128/66 1460.7/66.0 1464/66 32.9/0.0][PLAIN TEXT (dnlN/L)] 2 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Goodput ratio: 23.2/95.6][0.07 sec][Host: photos-h.ak.instagram.com][bytes ratio: -0.962 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5.6/0.3 33/2 11.2/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/1484 86.0/1484.0 326/1484 69.3/0.0][URL: photos-h.ak.instagram.com/hphotos-ak-xap1/t51.2885-15/e35/10859994_1009433792434447_1627646062_n.jpg?se=7][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] 3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Goodput ratio: 9.6/95.4][0.09 sec][Host: photos-g.ak.instagram.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2.4/0.5 62/2 11.3/0.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/396 73.0/1435.2 326/1484 42.2/209.5][URL: photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11417349_1610424452559638_1559096152_n.jpg?se=7][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] - 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Goodput ratio: 15.3/94.7][7.88 sec][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 244.3/12.2 7254/372 1260.5/65.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][URL: photos-e.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11379148_1449120228745316_607477962_n.jpg?se=7][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] + 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Goodput ratio: 15.3/94.7][7.88 sec][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 244.3/12.2 7254/372 1260.5/65.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][URL: photos-e.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11379148_1449120228745316_607477962_n.jpg?se=7][StatusCode: 0][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] 5 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Goodput ratio: 13.8/95.4][0.51 sec][Host: photos-g.ak.instagram.com][bytes ratio: -0.927 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.5/0.3 321/2 76.4/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/186 76.5/1423.0 319/1484 50.6/248.6][URL: photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e15/11386524_110257619317430_379513654_n.jpg][StatusCode: 200][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] - 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][Goodput ratio: 59.6/94.4][10.06 sec][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 364.1/362.3 7669/7709 1462.3/1471.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163.4/1180.4 1431/1464 317.9/494.8] + 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][Goodput ratio: 59.6/94.4][10.06 sec][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 364.1/362.3 7669/7709 1462.3/1471.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163.4/1180.4 1431/1464 317.9/494.8][PLAIN TEXT (ny.iaXs)] 7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][cat: Web/5][25 pkts/37100 bytes <-> 24 pkts/1584 bytes][Goodput ratio: 95.5/0.0][0.04 sec][bytes ratio: 0.918 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.2/1.3 7/7 1.7/1.7][Pkt Len c2s/s2c min/avg/max/stddev: 1484/66 1484.0/66.0 1484/66 0.0/0.0][PLAIN TEXT (inOCIM)] 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][cat: Web/5][14 pkts/924 bytes <-> 20 pkts/28115 bytes][Goodput ratio: 0.0/95.3][7.36 sec][bytes ratio: -0.936 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 735.4/0.5 7321/3 2195.2/1.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66.0/1405.8 66/1484 0.0/309.0][PLAIN TEXT (dGQaNFV)] 9 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][cat: Web/5][16 pkts/22931 bytes <-> 9 pkts/594 bytes][Goodput ratio: 95.4/0.0][0.02 sec][bytes ratio: 0.950 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.8/1.3 5/4 1.3/1.4][Pkt Len c2s/s2c min/avg/max/stddev: 671/66 1433.2/66.0 1484/66 196.8/0.0][PLAIN TEXT (DD.DOo)] - 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][Goodput ratio: 51.2/92.4][0.19 sec][bytes ratio: -0.707 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/23.0 56/88 18.1/30.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/885.7 375/1484 113.9/639.8][TLSv1][Client: igcdn-photos-g-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][Goodput ratio: 56.7/90.2][0.17 sec][bytes ratio: -0.515 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.1/29.2 79/103 25.5/38.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.5/689.1 516/1484 151.0/647.4][TLSv1][Client: igcdn-photos-h-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][Goodput ratio: 51.2/92.4][0.19 sec][bytes ratio: -0.707 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/23.0 56/88 18.1/30.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/885.7 375/1484 113.9/639.8][TLSv1][Client: igcdn-photos-g-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][Goodput ratio: 56.7/90.2][0.17 sec][bytes ratio: -0.515 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.1/29.2 79/103 25.5/38.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.5/689.1 516/1484 151.0/647.4][TLSv1][Client: igcdn-photos-h-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 7df57c06f869fc3ce509521cae2f75ce][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][6 pkts/4699 bytes <-> 6 pkts/1345 bytes][Goodput ratio: 91.6/70.5][2.36 sec][bytes ratio: 0.555 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 589.8/589.8 2180/2130 921.0/894.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 783.2/224.2 1464/1015 545.1/353.7] - 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.3/11.0 70/40 26.9/16.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.8/12.0 71/47 27.1/20.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: a248.e.akamai.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] - 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][Goodput ratio: 74.1/90.4][2.48 sec][bytes ratio: -0.526 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.0/51.0 254/202 109.7/87.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/686.3 1015/1464 379.6/610.1] + 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.3/11.0 70/40 26.9/16.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][8 pkts/896 bytes <-> 6 pkts/4671 bytes][Goodput ratio: 40.1/91.3][0.16 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25.8/12.0 71/47 27.1/20.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.0/778.5 292/1484 80.8/657.3][TLSv1][Client: igcdn-photos-a-a.akamaihd.net][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net][JA3S: 34d6f0ad0a79e4cfdf145e640cc93f78][Organization: Akamai Technologies Inc.][Certificate SHA-1: EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23][Validity: 2015-06-19 16:52:07 - 2016-06-19 16:52:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 6 pkts/4118 bytes][Goodput ratio: 74.1/90.4][2.48 sec][bytes ratio: -0.526 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.0/51.0 254/202 109.7/87.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/686.3 1015/1464 379.6/610.1][PLAIN TEXT (kpaeC.)] 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1279 bytes <-> 5 pkts/4020 bytes][Goodput ratio: 74.1/91.8][0.22 sec][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 53.8/43.0 215/172 93.1/74.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 255.8/804.0 1015/1464 379.6/595.0] 17 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Goodput ratio: 46.3/94.2][0.18 sec][Host: photos-f.ak.instagram.com][bytes ratio: -0.722 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 61.3/0.5 184/1 86.7/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 78/488 139.8/1152.0 325/1484 107.0/469.5][URL: photos-f.ak.instagram.com/hphotos-ak-xfa1/t51.2885-15/e35/11424623_1608163109450421_663315883_n.jpg?se=7][StatusCode: 0][ContentType: ][UserAgent: Instagram 7.1.1 Android (19/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)][PLAIN TEXT (GET /hphotos)] 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/TLS.Instagram][cat: SocialNetwork/6][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][Goodput ratio: 61.9/49.6][0.80 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 93.7/79.8 183/182 81.8/80.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 175.9/133.0 530/231 154.8/70.1][TLSv1][Client: telegraph-ash.instagram.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][JA3S: acb741bcdffb787c5a52654c78645bdf][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] diff --git a/tests/result/malware.pcap.out b/tests/result/malware.pcap.out index dd536f2bc..75e07b530 100644 --- a/tests/result/malware.pcap.out +++ b/tests/result/malware.pcap.out @@ -8,7 +8,7 @@ JA3 Host Stats: 1 192.168.7.7 1 - 1 TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91.225/TLS.OpenDNS][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][Goodput ratio: 52.6/91.2][0.64 sec][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.1/74.8 240/249 99.0/103.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.4/651.1 571/1514 148.2/644.4][TLSv1.2][Client: www.internetbadguys.com][JA3C: f6ce47303dce394049af395fc6d0bc20][Server: api.opendns.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Organization: OpenDNS, Inc.][Certificate SHA-1: 21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C][Validity: 2018-04-26 00:00:00 - 2020-07-29 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.7.7:35236 <-> 67.215.92.210:443 [proto: 91.225/TLS.OpenDNS][cat: Malware/100][11 pkts/1280 bytes <-> 9 pkts/5860 bytes][Goodput ratio: 52.6/91.2][0.64 sec][bytes ratio: -0.641 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.1/74.8 240/249 99.0/103.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.4/651.1 571/1514 148.2/644.4][TLSv1.2][Client: www.internetbadguys.com][JA3C: f6ce47303dce394049af395fc6d0bc20][ServerNames: api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.opendns.com,dashboard.opendns.com,dashboard-ipv4.opendns.com,msp-login.opendns.com,api-ipv4.opendns.com,api-ipv6.opendns.com,authz.api.opendns.com,domain.opendns.com,help.vpn.opendns.com,ideabank.opendns.com,login.opendns.com,netgear.opendns.com,reseller-login.opendns.com,images.opendns.com,images-using.opendns.com,store.opendns.com,signup.opendns.com,twilio.opendns.com,updates.opendns.com,shared.opendns.com,tools.opendns.com,cache.opendns.com,api.umbrella.com,branded-login.umbrella.com,cachecheck.umbrella.com,community.umbrella.com,dashboard2.umbrella.com,dashboard.umbrella.com,dashboard-ipv4.umbrella.com,msp-login.umbrella.com,api-ipv4.umbrella.com,api-ipv6.umbrella.com,authz.api.umbrella.com,domain.umbrella.com,help.vpn.umbrella.com,ideabank.umbrella.com,login.umbrella.com,netgear.umbrella.com,reseller-login.umbrella.com,images.umbrella.com,images-using.umbrella.com,store.umbrella.com,signup.umbrella.com,twilio.umbrella.com,updates.umbrella.com,shared.umbrella.com,tools.umbrella.com,cache.umbrella.com][JA3S: 0c0aff9ccea5e7e1de5c3a0069d103f3][Organization: OpenDNS, Inc.][Certificate SHA-1: 21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C][Validity: 2018-04-26 00:00:00 - 2020-07-29 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 2 TCP 192.168.7.7:48394 <-> 67.215.92.210:80 [proto: 7.225/HTTP.OpenDNS][cat: Malware/100][1 pkts/383 bytes <-> 1 pkts/98 bytes][Goodput ratio: 85.7/44.4][0.21 sec][Host: www.internetbadguys.com][URL: www.internetbadguys.com/][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0][PLAIN TEXT (GET / HTTP/1.1)] 3 UDP 192.168.7.7:42370 <-> 1.1.1.1:53 [proto: 5/DNS][cat: Malware/100][1 pkts/106 bytes <-> 1 pkts/110 bytes][Goodput ratio: 59.8/61.3][0.02 sec][Host: www.internetbadguys.com][PLAIN TEXT (internetbadguys)] 4 ICMP 192.168.7.7:0 -> 144.139.247.220:0 [proto: 81/ICMP][cat: Malware/100][1 pkts/98 bytes -> 0 pkts/0 bytes][Goodput ratio: 56.6/0.0][< 1 sec] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index f36cefc2a..9cbfbe81b 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -13,46 +13,46 @@ JA3 Host Stats: 2 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Goodput ratio: 16.5/95.6][53.10 sec][Host: 23.246.3.140][bytes ratio: -0.935 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 117.0/55.1 5026/5044 455.1/247.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/74 80.3/1493.7 581/1514 81.4/139.9][URL: 23.246.3.140/?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4][StatusCode: 206][ContentType: ][UserAgent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][PLAIN TEXT (oMrLRiWL)] 3 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Goodput ratio: 15.6/95.6][46.97 sec][Host: 23.246.11.133][bytes ratio: -0.939 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 193.6/107.2 26359/26393 1829.1/1320.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 79.1/1487.1 582/1514 78.6/167.2][URL: 23.246.11.133/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10][StatusCode: 206][ContentType: ][UserAgent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][PLAIN TEXT (oMrLRiWL1)] 4 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Goodput ratio: 1.9/95.6][59.61 sec][Host: tp.akam.nflximg.com][bytes ratio: -0.969 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 418.0/45.1 30607/2159 2956.1/164.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 78.6/1498.7 282/1514 20.9/140.2][URL: tp.akam.nflximg.com/tpa3/616/2041779616.bif][StatusCode: 200][ContentType: text/plain][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (GET /tpa3/616/2041779616.bif HT)] - 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][Goodput ratio: 19.7/95.2][73.78 sec][bytes ratio: -0.931 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1183.5/604.0 69170/69192 8779.7/6263.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87.0/1379.1 293/1514 38.8/401.2][TLSv1.2][Client: art-s.nflximg.net][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: secure.cdn.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][Organization: Netflix, Inc.][Certificate SHA-1: 0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26][Validity: 2016-04-06 00:00:00 - 2017-04-05 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] + 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][Goodput ratio: 19.7/95.2][73.78 sec][bytes ratio: -0.931 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1183.5/604.0 69170/69192 8779.7/6263.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87.0/1379.1 293/1514 38.8/401.2][TLSv1.2][Client: art-s.nflximg.net][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net][JA3S: ef6b224ce027c8e21e5a25d8a58255a3][Organization: Netflix, Inc.][Certificate SHA-1: 0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26][Validity: 2016-04-06 00:00:00 - 2017-04-05 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 6 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Goodput ratio: 23.3/95.5][6.10 sec][Host: 23.246.11.141][bytes ratio: -0.916 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 89.7/58.1 504/714 130.2/108.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/74 88.1/1463.8 582/1514 100.4/228.0][URL: 23.246.11.141/?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo][StatusCode: 206][ContentType: ][UserAgent: AppleCoreMedia/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)][PLAIN TEXT (oMrLRiWL2)] 7 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Goodput ratio: 7.2/95.5][34.92 sec][Host: art-2.nflximg.net][bytes ratio: -0.947 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/12 1100.9/41.1 30978/402 5646.5/66.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.3/1455.7 311/1514 38.3/273.5][URL: art-2.nflximg.net/5758c/bb636e44b87ef854c331ed7b7b6e157e4945758c.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /5758)] - 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][Goodput ratio: 84.0/88.8][47.10 sec][bytes ratio: -0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 743.5/738.5 30450/30505 3962.3/4074.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 413.7/588.1 1514/1514 553.3/593.8][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][Goodput ratio: 93.9/78.5][53.21 sec][bytes ratio: 0.727 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1378.0/2893.2 51181/51242 8187.7/11726.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1091.7/317.7 1514/1514 614.5/491.5][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][Goodput ratio: 84.0/88.8][47.10 sec][bytes ratio: -0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 743.5/738.5 30450/30505 3962.3/4074.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 413.7/588.1 1514/1514 553.3/593.8][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][Goodput ratio: 93.9/78.5][53.21 sec][bytes ratio: 0.727 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1378.0/2893.2 51181/51242 8187.7/11726.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1091.7/317.7 1514/1514 614.5/491.5][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 10 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2040 bytes <-> 34 pkts/45136 bytes][Goodput ratio: 17.4/95.0][1.88 sec][bytes ratio: -0.914 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 76.6/61.8 638/579 155.4/121.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.0/1327.5 422/1514 70.8/457.1][URL: 23.246.10.139/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=34073607][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1868 bytes <-> 34 pkts/45139 bytes][Goodput ratio: 18.9/95.0][2.09 sec][bytes ratio: -0.921 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/2 70.5/47.3 708/633 170.8/120.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 89.0/1327.6 420/1514 74.7/456.9][URL: 23.246.3.140/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 12 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Goodput ratio: 17.0/95.2][42.46 sec][Host: art-2.nflximg.net][bytes ratio: -0.877 (Download)][IAT c2s/s2c min/avg/max/stddev: 11/0 424.7/42.9 3643/161 850.2/34.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 93.3/1378.5 312/1514 58.6/421.3][URL: art-2.nflximg.net/af7a5/362643424e775d0393ddb46e145c2375367af7a5.webp][StatusCode: 200][ContentType: image/webp][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /af)] 13 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][21 pkts/1826 bytes <-> 32 pkts/43179 bytes][Goodput ratio: 19.5/95.1][1.58 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 52.7/51.8 354/582 86.6/111.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87.0/1349.3 422/1514 75.3/442.6][URL: 23.246.11.145/range/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=39307082][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][Goodput ratio: 68.7/93.1][38.50 sec][bytes ratio: -0.712 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1640.5/1231.6 30390/30443 6288.1/5475.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 210.9/964.4 1514/1514 376.2/637.4][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][Goodput ratio: 68.7/93.1][38.50 sec][bytes ratio: -0.712 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1640.5/1231.6 30390/30443 6288.1/5475.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 210.9/964.4 1514/1514 376.2/637.4][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 15 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Goodput ratio: 20.0/95.3][1.39 sec][Host: art-1.nflximg.net][bytes ratio: -0.942 (Download)][IAT c2s/s2c min/avg/max/stddev: 11/0 27.5/35.1 45/81 10.3/18.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101.8/1414.4 311/1514 64.1/365.9][URL: art-1.nflximg.net/8b1fa/eaa1b78cd72ca4dbdcab527691d2fcab37c8b1fa.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /8b)] 16 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2596 bytes <-> 29 pkts/37544 bytes][Goodput ratio: 13.8/94.9][7.33 sec][bytes ratio: -0.871 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 267.2/77.0 1392/465 371.7/115.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83.7/1294.6 424/1514 62.8/489.1][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJiXLBugGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPflHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JqTg0NiANIn4-aRwn3uKtWdoQ7M&random=114897][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (czGET /range/0)] 17 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Goodput ratio: 31.4/95.0][2.07 sec][Host: art-1.nflximg.net][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 166.5/93.7 1389/1416 393.8/299.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97.4/1336.5 311/1514 80.8/428.1][URL: art-1.nflximg.net/4e36d/6289889020d6cc6dfb3038c35564a41e1ca4e36d.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /4e)] - 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Goodput ratio: 72.0/94.2][31.31 sec][Host: appboot.netflix.com][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3092.2/20.9 30728/135 9212.0/28.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241.7/1136.3 1514/1514 404.6/584.3][URL: appboot.netflix.com/appboot/NFAPPL-02-][StatusCode: 200][ContentType: application/x-msl+json][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /appboot/NFAPPL)] + 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Goodput ratio: 72.0/94.2][31.31 sec][Host: appboot.netflix.com][bytes ratio: -0.781 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3092.2/20.9 30728/135 9212.0/28.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 241.7/1136.3 1514/1514 404.6/584.3][URL: appboot.netflix.com/appboot/NFAPPL-02-][StatusCode: 0][ContentType: ][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /appboot/NFAPPL)] 19 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][33 pkts/2732 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 13.1/94.5][7.16 sec][bytes ratio: -0.833 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 253.5/199.3 1162/1131 295.3/282.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.8/1202.6 424/1514 61.0/563.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=420981][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 20 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][24 pkts/2041 bytes <-> 25 pkts/30064 bytes][Goodput ratio: 17.5/94.5][5.93 sec][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/4 245.2/164.8 985/775 248.3/180.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.0/1202.6 423/1514 71.0/563.7][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJZ2bLBChGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_ngHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=SixKQmLLJNvShj-pfML-2h4QaqQ&random=727666][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 21 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][31 pkts/2571 bytes <-> 22 pkts/28042 bytes][Goodput ratio: 13.9/94.8][7.15 sec][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/4 264.6/325.6 1355/1382 336.5/386.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.9/1274.6 423/1514 62.5/516.6][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8&random=323765][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][Goodput ratio: 76.7/92.6][1.73 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 48.2/42.4 437/291 100.9/61.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 290.2/895.3 1514/1514 441.6/626.2][TLSv1.2][Client: api-global.netflix.com][JA3C: d8bfad189bd26664e04570c104ee8418][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][Goodput ratio: 76.7/92.6][1.73 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 48.2/42.4 437/291 100.9/61.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 290.2/895.3 1514/1514 441.6/626.2][TLSv1.2][Client: api-global.netflix.com][JA3C: d8bfad189bd26664e04570c104ee8418][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 23 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][32 pkts/2572 bytes <-> 23 pkts/26661 bytes][Goodput ratio: 14.0/94.3][7.05 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 247.8/270.5 635/1046 213.2/317.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 80.4/1159.2 426/1514 62.4/602.9][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQIpyTIBGjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_biCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=8Z78vL2i9OzihCA3M1LinMYcMY4&random=2386][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (fGET /range/0)] 24 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][36 pkts/3030 bytes <-> 21 pkts/25455 bytes][Goodput ratio: 11.8/94.5][8.05 sec][bytes ratio: -0.787 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/4 258.1/237.1 1250/1203 330.7/380.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84.2/1212.1 424/1514 58.1/550.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJqTIRqhGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_vlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=TnP59JB1wb5UTOCr0m-KQU2kGPo&random=413473][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 25 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2864 bytes <-> 21 pkts/25456 bytes][Goodput ratio: 12.6/94.5][5.76 sec][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168.5/222.6 1162/1317 246.3/336.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 84.2/1212.2 426/1514 60.5/550.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJ5yTLBCkGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_3mCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=r5jtnnEcR8hDCkPImfEiWqWAjKk&random=1846][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 26 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2553 bytes <-> 22 pkts/25510 bytes][Goodput ratio: 14.0/94.3][7.56 sec][bytes ratio: -0.818 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 297.7/146.2 1317/530 354.0/131.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 85.1/1159.5 423/1514 63.5/589.6][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJJmULRajGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpfblHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=zezrDJDQvgO2TiYC1dT3imH4QC8&random=169467][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][Goodput ratio: 91.9/78.0][32.21 sec][bytes ratio: 0.624 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.7/84.3 332/331 94.1/94.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 810.9/308.7 1514/1514 699.9/492.9][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][Goodput ratio: 91.9/78.0][32.21 sec][bytes ratio: 0.624 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.7/84.3 332/331 94.1/94.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 810.9/308.7 1514/1514 699.9/492.9][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][Goodput ratio: 72.0/91.0][0.86 sec][bytes ratio: -0.542 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.9/32.9 266/316 64.3/69.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 237.4/739.0 1514/1514 406.7/541.9][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 29 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][35 pkts/2920 bytes <-> 19 pkts/22428 bytes][Goodput ratio: 12.3/94.4][7.38 sec][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/0 222.2/250.0 636/1132 227.5/336.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 83.4/1180.4 424/1514 58.9/569.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQJpmQIRekGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThrvnlHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=mQfOf90-RY2Gd2ii20KJpCcYQVk&random=134564][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 30 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][34 pkts/2879 bytes <-> 20 pkts/22373 bytes][Goodput ratio: 12.5/94.1][8.26 sec][bytes ratio: -0.772 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238.4/289.2 1152/1208 301.3/406.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 84.7/1118.7 425/1514 60.1/613.7][URL: 23.246.11.141/range/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=1294][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] 31 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][30 pkts/2610 bytes <-> 20 pkts/22422 bytes][Goodput ratio: 13.7/94.1][7.09 sec][bytes ratio: -0.791 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 254.8/290.4 811/1178 266.6/325.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 87.0/1121.1 424/1514 63.5/610.6][URL: 23.246.11.133/range/0-65535?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10&random=247333][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /range/0)] - 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][Goodput ratio: 86.5/86.4][0.92 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46.4/54.5 282/127 72.4/34.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 485.7/490.6 1514/1514 602.5/610.3][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Goodput ratio: 90.6/86.7][31.72 sec][Host: api-global.netflix.com][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 2877.0/42.1 31088/123 8921.3/32.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 714.4/500.3 1514/1514 676.3/651.2][URL: api-global.netflix.com/msl/nrdjs/2.1.2][StatusCode: 200][ContentType: application/x-msl+json][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /msl/nrdjs/2.1.2 HTTP/1.1)] - 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][Goodput ratio: 79.0/90.4][1.01 sec][bytes ratio: -0.231 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.7/96.0 322/423 89.1/120.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 314.5/696.8 1514/1514 477.1/667.4][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][Goodput ratio: 75.9/84.0][38.49 sec][bytes ratio: -0.106 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2129.1/2946.1 30585/30636 7105.0/8237.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 274.0/414.4 1514/1514 437.3/546.1][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][Goodput ratio: 86.5/86.4][0.92 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 46.4/54.5 282/127 72.4/34.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 485.7/490.6 1514/1514 602.5/610.3][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Goodput ratio: 90.6/86.7][31.72 sec][Host: api-global.netflix.com][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 2877.0/42.1 31088/123 8921.3/32.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 714.4/500.3 1514/1514 676.3/651.2][URL: api-global.netflix.com/msl/nrdjs/2.1.2][StatusCode: 0][ContentType: ][UserAgent: Argo/900 CFNetwork/808.2.16 Darwin/16.3.0][PLAIN TEXT (POST /msl/nrdjs/2.1.2 HTTP/1.1)] + 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][Goodput ratio: 79.0/90.4][1.01 sec][bytes ratio: -0.231 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 64.7/96.0 322/423 89.1/120.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 314.5/696.8 1514/1514 477.1/667.4][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][Goodput ratio: 75.9/84.0][38.49 sec][bytes ratio: -0.106 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2129.1/2946.1 30585/30636 7105.0/8237.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 274.0/414.4 1514/1514 437.3/546.1][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 36 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][cat: Video/26][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Goodput ratio: 26.0/94.0][32.06 sec][Host: art-2.nflximg.net][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 4565.4/33.9 30963/63 10780.3/17.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 94.1/1119.8 311/1514 72.5/643.7][URL: art-2.nflximg.net/87b33/bed1223a0040fdc97bac4e906332e462c6e87b33.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Argo/9.1.0 (iPhone; iOS 10.2; Scale/2.00)][PLAIN TEXT (GET /87)] - 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][Goodput ratio: 82.7/79.7][30.85 sec][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1923.1/15.8 30431/72 7360.8/24.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 382.0/327.2 1514/1514 559.0/501.4][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][Goodput ratio: 83.5/80.6][30.38 sec][bytes ratio: 0.192 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2017.3/13.7 30033/55 7487.5/20.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 399.4/342.7 1514/1514 568.6/514.1][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][Goodput ratio: 79.7/82.7][3.15 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.9/303.2 2449/2522 644.8/743.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 325.2/386.1 1514/1514 478.5/534.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][Goodput ratio: 84.4/86.8][0.34 sec][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.1/31.0 85/65 31.5/27.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.4/507.4 1514/1514 532.6/591.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][Goodput ratio: 54.6/82.9][31.02 sec][bytes ratio: -0.343 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1820.1/45.2 30348/363 7132.3/102.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 145.3/389.6 422/1514 131.7/519.8][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][Goodput ratio: 70.3/85.6][0.32 sec][bytes ratio: -0.244 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 24.0/21.7 72/63 26.2/24.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 222.1/465.4 1514/1514 382.1/579.1][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][Server: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-01 12:30:00 - 2029-01-01 12:30:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][Goodput ratio: 82.7/79.7][30.85 sec][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1923.1/15.8 30431/72 7360.8/24.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 382.0/327.2 1514/1514 559.0/501.4][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][Goodput ratio: 83.5/80.6][30.38 sec][bytes ratio: 0.192 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2017.3/13.7 30033/55 7487.5/20.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 399.4/342.7 1514/1514 568.6/514.1][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][Goodput ratio: 79.7/82.7][3.15 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.9/303.2 2449/2522 644.8/743.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 325.2/386.1 1514/1514 478.5/534.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][Goodput ratio: 84.4/86.8][0.34 sec][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.1/31.0 85/65 31.5/27.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.4/507.4 1514/1514 532.6/591.2][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][Goodput ratio: 54.6/82.9][31.02 sec][bytes ratio: -0.343 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1820.1/45.2 30348/363 7132.3/102.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 145.3/389.6 422/1514 131.7/519.8][TLSv1.2][Client: ichnaea.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][Goodput ratio: 70.3/85.6][0.32 sec][bytes ratio: -0.244 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 24.0/21.7 72/63 26.2/24.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 222.1/465.4 1514/1514 382.1/579.1][TLSv1.2][Client: ios.nccp.netflix.com][JA3C: dc67ac8aaf8d7f69ecd6598135448f24][ServerNames: *.nccp.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: 97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33][Validity: 2001-01-17 20:32:09 - 2018-03-24 20:32:09][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][Goodput ratio: 73.9/84.2][30.77 sec][bytes ratio: -0.135 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 28.6/22.0 143/79 42.9/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 253.4/423.0 1514/1514 421.8/511.9][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][Goodput ratio: 36.2/84.0][30.93 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2373.2/20.4 30602/58 8149.0/25.9][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 103.6/417.1 309/1514 78.3/548.0][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][Server: api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][Goodput ratio: 36.2/84.0][30.93 sec][bytes ratio: -0.503 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2373.2/20.4 30602/58 8149.0/25.9][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 103.6/417.1 309/1514 78.3/548.0][TLSv1.2][Client: api-global.netflix.com][JA3C: c07cb55f88702033a8f52c046d23e0b2][ServerNames: api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Netflix, Inc.][Certificate SHA-1: FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C][Validity: 2016-04-12 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][Goodput ratio: 76.2/81.0][0.21 sec][bytes ratio: 0.065 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 26.1/20.2 92/54 34.4/21.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283.0/354.9 1450/1066 419.0/412.7][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/TLS.NetFlix][cat: Video/26][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][Goodput ratio: 38.8/68.9][30.71 sec][bytes ratio: -0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3064.5/6120.4 30486/30536 9140.5/12207.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/66 107.8/215.4 309/989 83.5/296.5][TLSv1.2][Client: api-global.netflix.com][JA3C: 7e72698146290dd68239f788a452e7d8][JA3S: 303951d4c50efb2e991652225a6f02b1][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 47 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][16 pkts/2648 bytes -> 0 pkts/0 bytes][Goodput ratio: 74.6/0.0][79.13 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 105/0 4588.2/0.0 14907/0 6546.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 164/0 165.5/0.0 167/0 1.5/0.0][PLAIN TEXT (SEARCH )] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index 34143be84..c1751d1a2 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -11,8 +11,8 @@ JA3 Host Stats: 2 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][cat: Game/8][122 pkts/48332 bytes <-> 35 pkts/5026 bytes][Goodput ratio: 89.4/70.7][5.68 sec][bytes ratio: 0.812 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 45.1/77.1 607/506 66.0/116.9][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 396.2/143.6 1254/886 210.0/128.5] 3 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][cat: Game/8][122 pkts/46476 bytes <-> 38 pkts/5268 bytes][Goodput ratio: 89.0/69.7][5.49 sec][bytes ratio: 0.796 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40.3/75.5 313/318 40.4/84.4][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 381.0/138.6 886/886 192.7/123.7][PLAIN TEXT (FutwCa)] 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 91.178/TLS.Amazon][cat: Web/5][34 pkts/4466 bytes <-> 20 pkts/4021 bytes][Goodput ratio: 49.7/67.2][21.54 sec][bytes ratio: 0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 728.2/1409.1 14019/13944 2635.6/3582.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131.4/201.1 400/983 85.6/219.4] - 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][Goodput ratio: 74.6/86.3][0.56 sec][bytes ratio: -0.253 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65.1/53.9 287/250 89.4/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263.5/486.5 1414/1414 387.3/570.3][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][Server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][Goodput ratio: 76.4/86.3][0.51 sec][bytes ratio: -0.264 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57.4/47.4 243/198 75.9/64.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283.3/486.6 1414/1414 400.9/570.5][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][Server: *.baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][Goodput ratio: 74.6/86.3][0.56 sec][bytes ratio: -0.253 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 65.1/53.9 287/250 89.4/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263.5/486.5 1414/1414 387.3/570.3][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/TLS.Nintendo][cat: Game/8][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][Goodput ratio: 76.4/86.3][0.51 sec][bytes ratio: -0.264 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57.4/47.4 243/198 75.9/64.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 283.3/486.6 1414/1414 400.9/570.5][TLSv1.2][Client: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com][JA3C: 200a99534ce50d35cf40cc3cce4c69b5][ServerNames: *.baas.nintendo.com,baas.nintendo.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Nintendo Co., Ltd.][Certificate SHA-1: 8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94][Validity: 2015-08-12 00:00:00 - 2018-08-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 7 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][cat: Game/8][23 pkts/2682 bytes <-> 16 pkts/3408 bytes][Goodput ratio: 64.0/80.3][4.86 sec][bytes ratio: -0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 231.7/88.7 514/507 225.4/142.2][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 116.6/213.0 230/854 27.1/243.3] 8 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][cat: Game/8][8 pkts/1024 bytes <-> 8 pkts/1024 bytes][Goodput ratio: 67.1/67.1][1.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 39/58 118.7/111.0 274/242 88.6/65.3][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 128.0/128.0 198/198 40.7/40.7] 9 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][cat: Game/8][8 pkts/1040 bytes <-> 7 pkts/922 bytes][Goodput ratio: 67.6/68.0][1.15 sec][bytes ratio: 0.060 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/17 107.5/127.0 288/286 108.6/89.8][Pkt Len c2s/s2c min/avg/max/stddev: 102/102 130.0/131.7 198/198 39.8/42.3] diff --git a/tests/result/pps.pcap.out b/tests/result/pps.pcap.out index 935d5e29e..b217994f0 100644 --- a/tests/result/pps.pcap.out +++ b/tests/result/pps.pcap.out @@ -7,7 +7,7 @@ Google 2 1093 1 2 TCP 192.168.115.8:50778 <-> 223.26.106.20:80 [proto: 7/HTTP][cat: Streaming/17][1 pkts/303 bytes <-> 528 pkts/692658 bytes][Goodput ratio: 81.9/95.9][0.82 sec][Host: preimage1.qiyipic.com][bytes ratio: -0.999 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/1.4 0/51 0.0/6.5][Pkt Len c2s/s2c min/avg/max/stddev: 303/180 303.0/1311.9 303/1314 0.0/49.3][URL: preimage1.qiyipic.com/preimage/20160506/f0/1f/v_110359998_m_611_160_90_1.jpg?no=1][StatusCode: 200][ContentType: ][UserAgent: Qiyi List Client PC 5.2.15.2240][PLAIN TEXT (GET /preimage/20160506/f0/1)] 3 TCP 192.168.115.8:50505 <-> 223.26.106.19:80 [proto: 7/HTTP][cat: Streaming/17][2 pkts/400 bytes <-> 244 pkts/319633 bytes][Goodput ratio: 72.8/95.9][0.11 sec][Host: static.qiyi.com][bytes ratio: -0.998 (Download)][IAT c2s/s2c min/avg/max/stddev: 35/0 35.0/0.4 35/35 0.0/2.5][Pkt Len c2s/s2c min/avg/max/stddev: 198/566 200.0/1310.0 202/1314 2.0/50.0][URL: static.qiyi.com/ext/common/qisu2/downloader.ini][StatusCode: 200][ContentType: ][UserAgent: Downloader][PLAIN TEXT (GET /ext/common/qisu2/downloade)] 4 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7/HTTP][cat: Web/5][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Goodput ratio: 87.1/95.9][0.02 sec][Host: 223.26.106.66][bytes ratio: -0.975 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0.0/0.3 0/3 0.0/0.8][Pkt Len c2s/s2c min/avg/max/stddev: 426/1022 426.0/1302.8 426/1314 0.0/56.2][URL: 223.26.106.66/videos/v0/20160625/a5/bf/8de9bb946972a88589d1667862292130.f4v?key=07eef1821e2379d3136ffe16082185ba2&src=iqiyi.com&&tn=137719&uuid=76a3085a-57760844-de][StatusCode: 0][ContentType: ][UserAgent: QY-Player-Windows/2.0.102][PLAIN TEXT (GET /videos/v)] - 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7/HTTP][cat: Web/5][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Goodput ratio: 94.6/95.6][13.04 sec][Host: bcu.ff.avast.com][bytes ratio: -0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 68.1/0.0 307/0 127.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 231/536 1002.1/1239.1 1314/1314 433.8/214.6][URL: bcu.ff.avast.com/bc2][StatusCode: 200][ContentType: application/x-enc][UserAgent: {D699054D-1699-47D2-9B2B-E96F438C1160}][PLAIN TEXT (POST /bc2 HTTP/1.1)] + 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7/HTTP][cat: Web/5][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Goodput ratio: 94.6/95.6][13.04 sec][Host: bcu.ff.avast.com][bytes ratio: -0.149 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 68.1/0.0 307/0 127.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 231/536 1002.1/1239.1 1314/1314 433.8/214.6][URL: bcu.ff.avast.com/bc2][StatusCode: 0][ContentType: application/x-enc][UserAgent: {D699054D-1699-47D2-9B2B-E96F438C1160}][PLAIN TEXT (POST /bc2 HTTP/1.1)] 6 UDP 192.168.5.38:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][18 pkts/9327 bytes -> 0 pkts/0 bytes][Goodput ratio: 91.9/0.0][6.36 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 46/0 392.9/0.0 2654/0 854.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 473/0 518.2/0.0 553/0 30.0/0.0][PLAIN TEXT (NOTIFY )] 7 TCP 192.168.115.8:50476 <-> 101.227.32.39:80 [proto: 7/HTTP][cat: Streaming/17][1 pkts/656 bytes <-> 4 pkts/3897 bytes][Goodput ratio: 91.6/94.4][0.04 sec][Host: cache.video.iqiyi.com][URL: cache.video.iqiyi.com/vi/500494600/562e26caed5695900212eb3259070f8a/?src=1_11_114][StatusCode: 200][ContentType: ][UserAgent: ][PLAIN TEXT (GET /vi/500494600/562)] 8 TCP 192.168.115.8:50495 <-> 202.108.14.236:80 [proto: 7/HTTP][cat: Streaming/17][3 pkts/2844 bytes <-> 3 pkts/597 bytes][Goodput ratio: 94.3/72.7][0.55 sec][Host: msg.71.am][bytes ratio: 0.653 (Upload)][IAT c2s/s2c min/avg/max/stddev: 117/118 216.0/217.0 315/316 99.0/99.0][Pkt Len c2s/s2c min/avg/max/stddev: 946/199 948.0/199.0 952/199 2.8/0.0][URL: msg.71.am/cp2.gif?a=4e3ae415a584748ac9aa31628f39d1e8&ai=&as=1:23:23|45&av=4.10.004&b=180932301&c=31&ct=5000000927558&d=2175&di=&dp=71000001&e=c4889e64ad9d9eeb9ff438910850c442&ec=&em=&fi=&g=0&l=MTE4LjE2My44Ljkw&mk=&nw=&od=5000000858874&oi=&p=a&pp=&rc=&rd=&][StatusCode: 200][ContentType: ][UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR ][PLAIN TEXT (GET /cp)] diff --git a/tests/result/signal.pcap.out b/tests/result/signal.pcap.out index 61bfa0487..a6a86150a 100644 --- a/tests/result/signal.pcap.out +++ b/tests/result/signal.pcap.out @@ -11,18 +11,18 @@ JA3 Host Stats: 1 192.168.2.17 3 - 1 TCP 192.168.2.17:57027 <-> 13.35.253.42:443 [proto: 91.39/TLS.Signal][cat: Chat/9][170 pkts/206962 bytes <-> 95 pkts/9293 bytes][Goodput ratio: 94.6/32.3][0.48 sec][bytes ratio: 0.914 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.8/3.4 39/47 6.0/9.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1217.4/97.8 1506/1506 547.8/174.6][TLSv1.2][Client: cdn.signal.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: cdn.signal.org][JA3S: c4b2785a87896e19d37eee932070cb22][Organization: Open Whisper Systems][Certificate SHA-1: 81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.2.17:57026 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][22 pkts/13757 bytes <-> 16 pkts/6493 bytes][Goodput ratio: 89.4/83.6][0.57 sec][bytes ratio: 0.359 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12.7/19.6 112/114 34.8/41.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 625.3/405.8 1506/1506 628.8/565.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.2.17:57027 <-> 13.35.253.42:443 [proto: 91.39/TLS.Signal][cat: Chat/9][170 pkts/206962 bytes <-> 95 pkts/9293 bytes][Goodput ratio: 94.6/32.3][0.48 sec][bytes ratio: 0.914 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.8/3.4 39/47 6.0/9.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1217.4/97.8 1506/1506 547.8/174.6][TLSv1.2][Client: cdn.signal.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: cdn.signal.org][JA3S: c4b2785a87896e19d37eee932070cb22][Organization: Open Whisper Systems][Certificate SHA-1: 81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:19:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.2.17:57026 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][22 pkts/13757 bytes <-> 16 pkts/6493 bytes][Goodput ratio: 89.4/83.6][0.57 sec][bytes ratio: 0.359 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12.7/19.6 112/114 34.8/41.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 625.3/405.8 1506/1506 628.8/565.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 3 TCP 192.168.2.17:57022 <-> 23.57.24.16:443 [proto: 91.145/TLS.AppleiTunes][cat: Streaming/17][24 pkts/2540 bytes <-> 21 pkts/12673 bytes][Goodput ratio: 37.6/89.0][0.40 sec][bytes ratio: -0.666 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.9/14.0 124/83 34.8/27.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 105.8/603.5 583/1506 104.9/573.8][TLSv1.3][Client: itunes.apple.com][JA3C: 17305a56a62a10f6b0ee8edcc3b1769c][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384] 4 TCP 192.168.2.17:57018 <-> 23.57.24.16:443 [proto: 91.145/TLS.AppleiTunes][cat: Streaming/17][25 pkts/2582 bytes <-> 20 pkts/12000 bytes][Goodput ratio: 37.0/88.9][0.24 sec][bytes ratio: -0.646 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7.4/9.7 47/52 16.2/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 103.3/600.0 583/1506 103.5/587.8][TLSv1.3][Client: itunes.apple.com][JA3C: 17305a56a62a10f6b0ee8edcc3b1769c][JA3S: 15af977ce25de452b96affa2addb1036][Cipher: TLS_AES_256_GCM_SHA384] - 5 TCP 192.168.2.17:49227 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1808 bytes <-> 12 pkts/4355 bytes][Goodput ratio: 51.9/81.6][3.03 sec][bytes ratio: -0.413 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 62.1/293.1 115/2199 52.5/677.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 139.1/362.9 502/1506 119.5/470.7][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][Server: textsecure-service.whispersystems.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.2.17:57024 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2054 bytes <-> 11 pkts/3775 bytes][Goodput ratio: 51.2/80.5][0.59 sec][bytes ratio: -0.295 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.9/59.0 167/186 54.6/77.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/343.2 583/1506 133.5/472.0][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.2.17:57021 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2108 bytes <-> 10 pkts/3709 bytes][Goodput ratio: 49.9/82.0][13.48 sec][bytes ratio: -0.275 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.6/49.6 13018/120 3463.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.8/370.9 583/1506 130.8/486.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.2.17:57020 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2103 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 49.8/79.4][13.49 sec][bytes ratio: -0.258 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.4/44.5 13011/122 3461.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.4/323.8 583/1506 130.5/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.2.17:57019 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2095 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 49.6/79.2][13.49 sec][bytes ratio: -0.255 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1020.2/43.2 13026/120 3466.0/54.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 130.9/320.6 583/1506 129.9/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 10 TCP 192.168.2.17:57023 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2049 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 51.1/79.4][0.58 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.0/58.0 168/181 54.2/76.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.6/323.8 583/1506 133.1/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 11 TCP 192.168.2.17:57025 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2041 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 50.9/79.2][0.58 sec][bytes ratio: -0.267 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.8/58.4 166/184 54.4/76.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.1/320.6 583/1506 132.6/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][Server: textsecure-service.whispersystems.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 12 TCP 192.168.2.17:49226 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1688 bytes <-> 11 pkts/3569 bytes][Goodput ratio: 48.4/79.4][9.90 sec][bytes ratio: -0.358 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/57.4 113/154 53.2/65.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 129.8/324.5 502/1506 120.2/473.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][Server: textsecure-service.whispersystems.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2013-03-25 22:18:35 - 2023-03-23 22:18:35][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.2.17:49227 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1808 bytes <-> 12 pkts/4355 bytes][Goodput ratio: 51.9/81.6][3.03 sec][bytes ratio: -0.413 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 62.1/293.1 115/2199 52.5/677.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 139.1/362.9 502/1506 119.5/470.7][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.2.17:57024 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2054 bytes <-> 11 pkts/3775 bytes][Goodput ratio: 51.2/80.5][0.59 sec][bytes ratio: -0.295 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.9/59.0 167/186 54.6/77.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.9/343.2 583/1506 133.5/472.0][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.2.17:57021 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2108 bytes <-> 10 pkts/3709 bytes][Goodput ratio: 49.9/82.0][13.48 sec][bytes ratio: -0.275 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.6/49.6 13018/120 3463.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.8/370.9 583/1506 130.8/486.5][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.2.17:57020 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2103 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 49.8/79.4][13.49 sec][bytes ratio: -0.258 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1019.4/44.5 13011/122 3461.9/56.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 131.4/323.8 583/1506 130.5/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.2.17:57019 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][16 pkts/2095 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 49.6/79.2][13.49 sec][bytes ratio: -0.255 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1020.2/43.2 13026/120 3466.0/54.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 130.9/320.6 583/1506 129.9/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 10 TCP 192.168.2.17:57023 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2049 bytes <-> 11 pkts/3562 bytes][Goodput ratio: 51.1/79.4][0.58 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.0/58.0 168/181 54.2/76.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.6/323.8 583/1506 133.1/472.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 11 TCP 192.168.2.17:57025 <-> 35.169.3.40:443 [proto: 91.39/TLS.Signal][cat: Chat/9][15 pkts/2041 bytes <-> 11 pkts/3527 bytes][Goodput ratio: 50.9/79.2][0.58 sec][bytes ratio: -0.267 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.8/58.4 166/184 54.4/76.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136.1/320.6 583/1506 132.6/473.1][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: 6725ca90906e1036febcbfd464e2e326][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 1089ea6f0461a29006cc96dfe7a11d80][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 12 TCP 192.168.2.17:49226 <-> 34.225.240.173:443 [proto: 91.39/TLS.Signal][cat: Chat/9][13 pkts/1688 bytes <-> 11 pkts/3569 bytes][Goodput ratio: 48.4/79.4][9.90 sec][bytes ratio: -0.358 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/57.4 113/154 53.2/65.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 129.8/324.5 502/1506 120.2/473.3][TLSv1.2][Client: textsecure-service.whispersystems.org][JA3C: e4d448cdfe06dc1243c1eb026c74ac9a][ServerNames: textsecure-service.whispersystems.org,service.signal.org][JA3S: 303951d4c50efb2e991652225a6f02b1][Organization: Open Whisper Systems][Certificate SHA-1: 5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B][Validity: 2019-02-15 17:38:17 - 2029-03-12 18:20:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 13 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][4 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][15.76 sec][Host: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46] 14 TCP 23.57.24.16:443 <-> 192.168.2.17:57016 [proto: 91/TLS][cat: Web/5][6 pkts/408 bytes <-> 6 pkts/471 bytes][Goodput ratio: 11.7/13.3][0.65 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/16 158.5/4.0 347/16 156.8/6.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 68.0/78.5 90/105 16.1/14.7] 15 TCP 192.168.2.17:56996 <-> 17.248.146.144:443 [proto: 91.140/TLS.Apple][cat: Web/5][4 pkts/341 bytes <-> 4 pkts/264 bytes][Goodput ratio: 22.5/0.0][0.03 sec][bytes ratio: 0.127 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 25/0 8.3/0.0 25/0 11.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.2/66.0 112/66 20.0/0.0] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index db6d78183..b3cf38b53 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -5,9 +5,9 @@ SSDP 101 38156 6 SkypeCall 152 10704 144 ICMP 8 656 1 IGMP 5 258 4 -TLS 96 8876 7 +TLS 483 206966 8 Dropbox 38 17948 5 -Skype 1796 451121 80 +Skype 1409 253031 79 Apple 17 2225 3 AppleiCloud 88 20520 2 Spotify 5 430 1 @@ -17,15 +17,15 @@ JA3 Host Stats: 1 192.168.1.34 2 - 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71.0/91.5][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002.2/607.6 30166/30261 4602.0/3438.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71.0/91.5][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002.2/607.6 30166/30261 4602.0/3438.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][Goodput ratio: 74.7/84.8][96.43 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 448.5/356.9 8300/8646 1135.8/1099.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 260.7/433.2 1506/1506 342.9/569.4][PLAIN TEXT ( 0sKWL)] 3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][Goodput ratio: 88.7/0.0][160.13 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1135.8/0.0 19950/0 4578.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373.2/0.0 405/0 28.8/0.0][PLAIN TEXT (NOTIFY )] 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][Goodput ratio: 75.6/77.3][46.31 sec][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 114.6/85.0 899/1012 249.9/251.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224.1/247.7 680/1494 261.3/323.6][TLSv1.2][Client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 5 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/7281 bytes -> 0 pkts/0 bytes][Goodput ratio: 91.9/0.0][6.11 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 508.0/0.0 3090/0 1136.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 475/0 520.1/0.0 555/0 30.8/0.0][PLAIN TEXT (NOTIFY )] 6 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91.121/TLS.Dropbox][cat: Cloud/13][8 pkts/1636 bytes <-> 8 pkts/4344 bytes][Goodput ratio: 67.7/87.8][141.04 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 141/2 23483.2/23483.3 53811/53950 23772.7/23909.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204.5/543.0 343/1020 138.5/477.0] 7 TCP 192.168.1.34:50126 <-> 91.190.216.23:12350 [proto: 125/Skype][cat: VoIP/10][16 pkts/4788 bytes <-> 4 pkts/372 bytes][Goodput ratio: 77.7/28.4][32.96 sec][bytes ratio: 0.856 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2304.5/21.5 5155/43 2241.1/21.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 299.2/93.0 398/172 147.0/45.9] - 8 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][Goodput ratio: 68.9/0.0][69.74 sec][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4362.3/0.0 8437/0 3866.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 212.1/74.0 257/74 81.1/0.0][TLSv1][Client: apps.skypeassets.com][JA3C: 799135475da362592a4be9199d258726] - 9 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][55.58 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3492.5/0.0 6700/0 2904.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] + 8 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][Goodput ratio: 68.9/0.0][69.74 sec][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4362.3/0.0 8437/0 3866.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 212.1/74.0 257/74 81.1/0.0][TLSv1.2][Client: apps.skypeassets.com][JA3C: 799135475da362592a4be9199d258726] + 9 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][55.58 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3492.5/0.0 6700/0 2904.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1.2][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] 10 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.3/0.0][150.37 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30053/0 30073.4/0.0 30087/0 11.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 544/0 544.0/0.0 544/0 0.0/0.0][PLAIN TEXT ( 1573195445)] 11 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.3/0.0][150.37 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30053/0 30073.8/0.0 30087/0 12.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 544/0 544.0/0.0 544/0 0.0/0.0][PLAIN TEXT ( 1573195445)] 12 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][5 pkts/2720 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][120.16 sec][PLAIN TEXT ( 3375359593)] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 01e22efd3..098a745a9 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -6,9 +6,9 @@ SSDP 40 14100 3 SkypeCall 154 10918 146 ICMP 4 328 1 IGMP 4 226 4 -TLS 79 7742 6 +TLS 427 189429 7 Dropbox 16 7342 5 -Skype 1185 331827 60 +Skype 837 150140 59 Apple 84 20699 2 JA3 Host Stats: @@ -16,13 +16,13 @@ JA3 Host Stats: 1 192.168.1.34 2 - 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 71.9/91.6][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 369.6/331.3 45360/45460 3946.4/3735.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 71.9/91.6][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 369.6/331.3 45360/45460 3946.4/3735.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][Goodput ratio: 77.8/89.2][22.75 sec][bytes ratio: -0.323 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238.2/214.7 3095/3095 411.2/400.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303.8/611.6 1506/1506 405.8/625.9][PLAIN TEXT (nZREBS)] - 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77.4/79.7][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2272.9/322.9 55625/8255 10013.7/1510.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4] + 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77.4/79.7][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2272.9/322.9 55625/8255 10013.7/1510.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4][PLAIN TEXT (/tBGEll)] 4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][Goodput ratio: 88.7/0.0][60.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1254.2/0.0 19850/0 4801.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 372.3/0.0 405/0 28.7/0.0][PLAIN TEXT (NOTIFY )] - 5 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][54.57 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3429.1/0.0 6616/0 2850.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] + 5 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69.5/0.0][54.57 sec][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3429.1/0.0 6616/0 2850.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216.3/74.0 251/74 72.3/0.0][TLSv1.2][Client: apps.skype.com][JA3C: 799135475da362592a4be9199d258726] 6 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][cat: VoIP/10][12 pkts/3242 bytes <-> 3 pkts/290 bytes][Goodput ratio: 75.2/28.9][14.87 sec][bytes ratio: 0.836 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1411.2/27.5 6276/55 1938.6/27.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 270.2/96.7 401/150 156.2/37.9] - 7 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/TLS.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][Goodput ratio: 67.6/87.8][30.64 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 222/2 10212.3/10139.0 30193/30413 14128.5/14335.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204.5/543.0 343/1020 138.5/477.0] + 7 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/TLS.Dropbox][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][Goodput ratio: 67.6/87.8][30.64 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 222/2 10212.3/10139.0 30193/30413 14128.5/14335.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204.5/543.0 343/1020 138.5/477.0][PLAIN TEXT (ZeNjsq)] 8 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][Goodput ratio: 64.4/0.0][14.82 sec][bytes ratio: 0.931 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1393.0/0.0 6406/0 1894.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 188.5/74.0 233/74 72.7/0.0][TLSv1][Client: apps.skype.com] 9 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/TLS.Skype][cat: VoIP/10][13 pkts/1446 bytes <-> 4 pkts/266 bytes][Goodput ratio: 39.8/0.0][28.33 sec][bytes ratio: 0.689 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/63 2320.6/63.0 11234/63 3205.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 111.2/66.5 138/74 23.1/5.0] 10 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/TLS][cat: Web/5][13 pkts/1437 bytes <-> 3 pkts/200 bytes][Goodput ratio: 39.4/0.0][24.81 sec][bytes ratio: 0.756 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/59 2001.1/59.0 7498/59 2282.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 110.5/66.7 138/74 22.8/5.7] diff --git a/tests/result/tls_long_cert.pcap.out b/tests/result/tls_long_cert.pcap.out new file mode 100644 index 000000000..2d5eecd17 --- /dev/null +++ b/tests/result/tls_long_cert.pcap.out @@ -0,0 +1,8 @@ +Repubblica 182 117601 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.2.126 1 + + + 1 TCP 192.168.2.126:60174 <-> 104.111.215.93:443 [proto: 91.251/TLS.Repubblica][cat: Web/5][86 pkts/8534 bytes <-> 96 pkts/109067 bytes][Goodput ratio: 33.5/94.2][71.34 sec][bytes ratio: -0.855 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1046.1/930.3 45462/45488 6188.9/5864.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 99.2/1136.1 902/1514 118.4/524.7][TLSv1.2][Client: www.repubblica.it][JA3C: 66918128f1b9b03303d77c6f2eefd128][ServerNames: www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it][JA3S: 35af4c8cd9495354f7d701ce8ad7fd2d][Organization: GEDI Digital S.r.l.][Certificate SHA-1: 0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1][Validity: 2019-03-07 00:00:00 - 2020-05-05 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out index 8875e4f7c..e2503d3c7 100644 --- a/tests/result/tor.pcap.out +++ b/tests/result/tor.pcap.out @@ -1,21 +1,21 @@ NetBIOS 1 252 1 -TLS 39 12580 2 +TLS 246 102691 5 DHCPV6 6 906 1 Dropbox 10 1860 1 -Tor 3638 3001842 6 +Tor 3431 2911731 3 JA3 Host Stats: IP Address # JA3C 1 192.168.1.252 1 - 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes][Goodput ratio: 77.7/95.4][134.33 sec][bytes ratio: -0.760 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 212.9/86.0 33482/11394 1581.9/404.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 261.7/1175.6 1514/1514 348.8/544.1][TLSv1][Client: www.jmts2id.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][Server: www.gg562izcxdvqdk.com][JA3S: e1691a31bfe345d2692da75636ddfb00][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA] - 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][Goodput ratio: 76.8/95.7][106.13 sec][bytes ratio: -0.790 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 202.5/109.1 30770/31166 1830.3/1316.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 251.7/1247.8 1514/1514 354.5/507.1][TLSv1][Client: www.q4cyamnc6mtokjurvdclt.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (cyamnc6)] - 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][cat: VPN/2][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][Goodput ratio: 84.4/90.7][109.04 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2212.0/966.0 44777/37995 8343.4/4770.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 366.4/580.0 1514/1514 349.5/568.1][TLSv1][Client: www.ct7ctrgb6cr7.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (www.ct7)] - 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][Goodput ratio: 82.4/83.7][135.32 sec][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 10377.8/8441.0 132386/132736 35221.5/32093.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 322.9/334.8 640/1514 270.5/384.8][TLSv1][Client: www.gfu7hbxpfp.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][Server: www.xkgk7fdx362yyyxib.com][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][cat: VPN/2][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81.2/84.3][108.05 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124.3/2564.1 71328/34353 19660.8/8817.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 303.6/349.1 640/1514 266.5/398.3][TLSv1][Client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (57kbafwrx)] - 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][cat: VPN/2][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][Goodput ratio: 74.8/87.0][135.27 sec][bytes ratio: -0.292 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 11234.2/11260.6 72591/72890 25060.3/25130.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 230.7/421.2 640/1514 242.6/402.9][TLSv1][Client: www.t3i3ru.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (ru.com)] - 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76.2/87.2][74.24 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155.3/6464.2 63835/63837 17571.0/19124.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242.3/430.5 640/1514 246.7/415.8][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][PLAIN TEXT (sieb.com)] + 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes][Goodput ratio: 77.7/95.4][134.33 sec][bytes ratio: -0.760 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 212.9/86.0 33482/11394 1581.9/404.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 261.7/1175.6 1514/1514 348.8/544.1][TLSv1][Client: www.jmts2id.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: e1691a31bfe345d2692da75636ddfb00][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA] + 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 91.163/TLS.Tor][cat: VPN/2][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes][Goodput ratio: 76.8/95.7][106.13 sec][bytes ratio: -0.790 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 202.5/109.1 30770/31166 1830.3/1316.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 251.7/1247.8 1514/1514 354.5/507.1][TLSv1][Client: www.q4cyamnc6mtokjurvdclt.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: e1691a31bfe345d2692da75636ddfb00][Certificate SHA-1: C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A][Validity: 2013-09-15 00:00:00 - 2014-02-21 23:59:59][Cipher: TLS_DHE_RSA_WITH_AES_256_CBC_SHA] + 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][62 pkts/22715 bytes <-> 79 pkts/45823 bytes][Goodput ratio: 84.4/90.7][109.04 sec][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2212.0/966.0 44777/37995 8343.4/4770.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 366.4/580.0 1514/1514 349.5/568.1][TLSv1][Client: www.ct7ctrgb6cr7.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 91/TLS][cat: Web/5][17 pkts/5489 bytes <-> 21 pkts/7031 bytes][Goodput ratio: 82.4/83.7][135.32 sec][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 10377.8/8441.0 132386/132736 35221.5/32093.7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 322.9/334.8 640/1514 270.5/384.8][TLSv1][Client: www.gfu7hbxpfp.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7][Validity: 2013-10-03 00:00:00 - 2013-11-18 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 91/TLS][cat: Web/5][16 pkts/4858 bytes <-> 18 pkts/6284 bytes][Goodput ratio: 81.2/84.3][108.05 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/3 6124.3/2564.1 71328/34353 19660.8/8817.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 303.6/349.1 640/1514 266.5/398.3][TLSv1][Client: www.e6r5p57kbafwrxj3plz.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: 3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C][Validity: 2013-06-07 00:00:00 - 2014-02-07 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 91/TLS][cat: Web/5][16 pkts/3691 bytes <-> 16 pkts/6740 bytes][Goodput ratio: 74.8/87.0][135.27 sec][bytes ratio: -0.292 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 11234.2/11260.6 72591/72890 25060.3/25130.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 230.7/421.2 640/1514 242.6/402.9][TLSv1][Client: www.t3i3ru.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: F9:1D:5F:89:8F:D8:58:1E:45:E7:9B:A6:FD:90:95:77:FF:DD:E8:1B][Validity: 2013-09-11 00:00:00 - 2013-11-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 91.163/TLS.Tor][cat: VPN/2][15 pkts/3634 bytes <-> 14 pkts/6027 bytes][Goodput ratio: 76.2/87.2][74.24 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/15 6155.3/6464.2 63835/63837 17571.0/19124.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 242.3/430.5 640/1514 246.7/415.8][TLSv1][Client: www.6gyip7tqim7sieb.com][JA3C: 581a3c7f54555512b8cd16e87dfe165b][JA3S: 184d532a16876b78846ae6a03f654890][Certificate SHA-1: EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0][Validity: 2013-11-02 00:00:00 - 2014-02-17 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][10 pkts/1860 bytes -> 0 pkts/0 bytes][Goodput ratio: 77.4/0.0][600.89 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30033/0 66765.1/0.0 360548/0 103867.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 186/0 186.0/0.0 186/0 0.0/0.0][PLAIN TEXT ( 676879976)] 9 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][6 pkts/906 bytes -> 0 pkts/0 bytes][Goodput ratio: 58.9/0.0][31.41 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1227/0 6282.2/0.0 16006/0 5399.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 151/0 151.0/0.0 151/0 0.0/0.0][PLAIN TEXT (Endian)] 10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][cat: System/18][1 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 83.0/0.0][< 1 sec][Host: endian-pc][PLAIN TEXT ( EFEOEEEJEBEOCNFAEDCACACACACACA)] diff --git a/tests/result/viber.pcap.out b/tests/result/viber.pcap.out index b55e4bf8e..6040afee9 100644 --- a/tests/result/viber.pcap.out +++ b/tests/result/viber.pcap.out @@ -13,14 +13,14 @@ JA3 Host Stats: 1 192.168.0.17 2 - 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/TLS.Viber][cat: Chat/9][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][Goodput ratio: 37.7/94.9][5.64 sec][bytes ratio: -0.859 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 162.3/2.3 5370/40 906.6/7.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106.3/1306.2 774/1514 151.1/466.3][TLSv1.2][Client: dl-media.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A][Validity: 2016-06-26 00:00:00 - 2018-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/TLS.Viber][cat: Chat/9][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][Goodput ratio: 56.7/91.4][5.69 sec][bytes ratio: -0.669 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 622.1/10.0 5492/35 1721.8/14.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.0/776.4 435/1514 138.2/635.3][TLSv1.2][Client: media.cdn.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39][Validity: 2016-07-03 00:00:00 - 2018-07-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][Goodput ratio: 69.3/85.8][1.00 sec][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/59.8 176/183 76.2/72.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 217.2/468.0 1514/1514 380.1/569.8][TLSv1.2][Client: brahe.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 1 TCP 192.168.0.17:53934 <-> 54.230.93.53:443 [proto: 91.144/TLS.Viber][cat: Chat/9][43 pkts/4571 bytes <-> 46 pkts/60087 bytes][Goodput ratio: 37.7/94.9][5.64 sec][bytes ratio: -0.859 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 162.3/2.3 5370/40 906.6/7.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106.3/1306.2 774/1514 151.1/466.3][TLSv1.2][Client: dl-media.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.viber.com,viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A][Validity: 2016-06-26 00:00:00 - 2018-06-26 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.0.17:57520 <-> 54.230.93.96:443 [proto: 91.144/TLS.Viber][cat: Chat/9][12 pkts/1848 bytes <-> 12 pkts/9317 bytes][Goodput ratio: 56.7/91.4][5.69 sec][bytes ratio: -0.669 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 622.1/10.0 5492/35 1721.8/14.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 154.0/776.4 435/1514 138.2/635.3][TLSv1.2][Client: media.cdn.viber.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.cdn.viber.com][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Organization: Viber Media Sarl][Certificate SHA-1: B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39][Validity: 2016-07-03 00:00:00 - 2018-07-03 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.0.17:49048 <-> 54.187.91.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][13 pkts/2823 bytes <-> 14 pkts/6552 bytes][Goodput ratio: 69.3/85.8][1.00 sec][bytes ratio: -0.398 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.4/59.8 176/183 76.2/72.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 217.2/468.0 1514/1514 380.1/569.8][TLSv1.2][Client: brahe.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.apptimize.com,apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 4 TCP 192.168.0.17:33208 <-> 52.0.253.101:4244 [proto: 144/Viber][cat: VoIP/10][32 pkts/6563 bytes <-> 26 pkts/2782 bytes][Goodput ratio: 67.8/38.3][46.77 sec][bytes ratio: 0.405 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1220.3/1488.8 7187/7333 2089.5/2187.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 205.1/107.0 657/176 184.2/42.7] 5 TCP 192.168.0.17:43702 <-> 172.217.23.78:443 [proto: 91.126/TLS.Google][cat: Web/5][15 pkts/5339 bytes <-> 12 pkts/3436 bytes][Goodput ratio: 81.3/76.7][33.94 sec][bytes ratio: 0.217 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2820.8/2646.3 23555/23575 6837.7/7399.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 355.9/286.3 1038/884 369.7/257.9][TLSv1.2][Client: app-measurement.com][JA3C: 3967ff2d2c9c4d144e7e30f24f4e9761][JA3S: 67619a80665d7ab92d1041b1d11f9164][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][Goodput ratio: 48.9/88.7][1.01 sec][bytes ratio: -0.634 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104.0/50.9 273/178 102.4/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 130.6/582.9 432/1514 111.7/601.3][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][Server: *.apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/TLS][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][Goodput ratio: 54.9/90.3][0.23 sec][bytes ratio: -0.605 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.0/18.6 152/60 47.4/24.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 153.4/693.2 631/1514 169.0/615.5][TLSv1][Client: venetia.iad.appboy.com][JA3C: d8c87b9bfde38897979e41242626c2f3] - 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][Goodput ratio: 48.1/88.3][0.92 sec][bytes ratio: -0.617 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 93.0/53.0 185/189 87.4/83.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 132.9/560.3 433/1514 110.8/605.1][TLSv1][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3] + 6 TCP 192.168.0.17:36986 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1437 bytes <-> 11 pkts/6412 bytes][Goodput ratio: 48.9/88.7][1.01 sec][bytes ratio: -0.634 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 104.0/50.9 273/178 102.4/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 130.6/582.9 432/1514 111.7/601.3][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3][ServerNames: *.apptimize.com,apptimize.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Organization: Apptimize, Inc][Certificate SHA-1: BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5][Validity: 2016-02-11 00:00:00 - 2019-04-10 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.0.17:55746 <-> 151.101.1.130:443 [proto: 91/TLS][cat: Web/5][10 pkts/1534 bytes <-> 9 pkts/6239 bytes][Goodput ratio: 54.9/90.3][0.23 sec][bytes ratio: -0.605 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.0/18.6 152/60 47.4/24.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 153.4/693.2 631/1514 169.0/615.5][TLSv1.2][Client: venetia.iad.appboy.com][JA3C: d8c87b9bfde38897979e41242626c2f3] + 8 TCP 192.168.0.17:36988 <-> 54.69.166.226:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1462 bytes <-> 11 pkts/6163 bytes][Goodput ratio: 48.1/88.3][0.92 sec][bytes ratio: -0.617 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 93.0/53.0 185/189 87.4/83.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/54 132.9/560.3 433/1514 110.8/605.1][TLSv1.2][Client: mapi.apptimize.com][JA3C: d8c87b9bfde38897979e41242626c2f3] 9 UDP 192.168.0.17:47171 <-> 18.201.4.32:7985 [proto: 144/Viber][cat: VoIP/10][24 pkts/5035 bytes <-> 22 pkts/2302 bytes][Goodput ratio: 80.0/59.8][7.22 sec][bytes ratio: 0.372 (Upload)][IAT c2s/s2c min/avg/max/stddev: 15/15 303.7/333.6 529/529 208.6/187.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/76 209.8/104.6 299/118 115.2/19.6][PLAIN TEXT (Android)] 10 UDP 192.168.0.17:38190 <-> 18.201.4.3:7985 [proto: 144/Viber][cat: VoIP/10][25 pkts/4344 bytes <-> 18 pkts/1872 bytes][Goodput ratio: 75.8/59.6][5.68 sec][bytes ratio: 0.398 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 203.1/278.8 513/531 232.5/235.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/76 173.8/104.0 299/118 120.4/19.8][PLAIN TEXT (Android)] 11 ICMP 192.168.0.17:0 <-> 192.168.0.15:0 [proto: 81/ICMP][cat: Network/14][1 pkts/1514 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 97.2/97.2][< 1 sec][PLAIN TEXT (1234567890ABCDEFGHIJKLMNOPQ)] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index 749669238..7e5690145 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -11,23 +11,23 @@ JA3 Host Stats: 1 10.8.0.1 2 - 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][Goodput ratio: 74.0/96.0][19.68 sec][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 287.7/329.3 3806/5018 686.4/819.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 208.8/1360.9 590/17258 183.0/3378.1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][Goodput ratio: 74.0/96.0][19.68 sec][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 287.7/329.3 3806/5018 686.4/819.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 208.8/1360.9 590/17258 183.0/3378.1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][cat: Web/5][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Goodput ratio: 20.1/98.4][5.27 sec][Host: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 320.7/372.6 3680/3677 903.4/959.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68.9/3438.7 317/11833 58.6/3467.6][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][ContentType: application/octet-stream][UserAgent: Android][PLAIN TEXT (GET /xtra)] - 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][Goodput ratio: 52.2/98.5][2.64 sec][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155.3/188.5 387/415 136.9/130.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115.4/3558.4 590/21942 132.3/6124.9][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][Goodput ratio: 56.9/98.1][3.70 sec][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.8/125.8 1449/293 382.9/116.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128.0/2829.5 590/11186 147.3/3901.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][Goodput ratio: 46.1/97.3][3.22 sec][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237.2/155.3 1289/609 358.5/182.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102.7/2026.6 411/8150 98.2/2611.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][Goodput ratio: 60.4/89.6][15.91 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 578.4/1210.2 5838/5890 1444.5/1891.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139.3/518.8 555/3660 140.6/938.6][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][Goodput ratio: 56.2/94.7][1.29 sec][bytes ratio: -0.775 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 162.5/196.0 343/348 153.1/132.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 129.2/1018.9 283/4048 86.6/1610.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][Goodput ratio: 47.9/90.9][3.03 sec][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 298.1/360.9 1175/1175 372.1/354.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106.8/594.6 315/1422 85.4/584.3][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][Goodput ratio: 50.0/91.7][2.56 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 283.4/305.9 1174/1173 370.4/349.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 111.6/648.7 315/2165 87.6/739.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][Goodput ratio: 59.5/86.9][6.85 sec][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 728.7/962.9 4966/4966 1533.8/1663.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 137.5/411.2 380/3201 123.8/874.8][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][Goodput ratio: 56.1/85.9][2.36 sec][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 195.8/194.7 883/537 285.6/190.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.8/383.6 380/2189 106.9/639.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][Goodput ratio: 51.2/89.0][3.32 sec][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 335.4/261.1 1332/645 428.4/235.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 114.5/490.3 347/2533 94.6/785.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] - 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][Goodput ratio: 57.2/88.9][2.45 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 300.3/341.3 1397/1346 459.1/420.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131.6/485.4 379/2165 107.7/725.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][Goodput ratio: 52.2/98.5][2.64 sec][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155.3/188.5 387/415 136.9/130.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115.4/3558.4 590/21942 132.3/6124.9][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][Goodput ratio: 56.9/98.1][3.70 sec][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.8/125.8 1449/293 382.9/116.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128.0/2829.5 590/11186 147.3/3901.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][Goodput ratio: 46.1/97.3][3.22 sec][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237.2/155.3 1289/609 358.5/182.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102.7/2026.6 411/8150 98.2/2611.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][Goodput ratio: 60.4/89.6][15.91 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 578.4/1210.2 5838/5890 1444.5/1891.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139.3/518.8 555/3660 140.6/938.6][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][Goodput ratio: 56.2/94.7][1.29 sec][bytes ratio: -0.775 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 162.5/196.0 343/348 153.1/132.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 129.2/1018.9 283/4048 86.6/1610.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][Goodput ratio: 47.9/90.9][3.03 sec][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 298.1/360.9 1175/1175 372.1/354.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106.8/594.6 315/1422 85.4/584.3][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2015-01-12 13:36:11 - 2015-12-31 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][Goodput ratio: 50.0/91.7][2.56 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 283.4/305.9 1174/1173 370.4/349.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 111.6/648.7 315/2165 87.6/739.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2015-01-12 13:36:11 - 2015-12-31 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][Goodput ratio: 59.5/86.9][6.85 sec][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 728.7/962.9 4966/4966 1533.8/1663.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 137.5/411.2 380/3201 123.8/874.8][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][Goodput ratio: 56.1/85.9][2.36 sec][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 195.8/194.7 883/537 285.6/190.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.8/383.6 380/2189 106.9/639.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][Goodput ratio: 51.2/89.0][3.32 sec][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 335.4/261.1 1332/645 428.4/235.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 114.5/490.3 347/2533 94.6/785.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] + 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][Goodput ratio: 57.2/88.9][2.45 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 300.3/341.3 1397/1346 459.1/420.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131.6/485.4 379/2165 107.7/725.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][ServerNames: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2015-01-12 13:36:11 - 2015-12-31 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] 14 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Goodput ratio: 14.4/87.4][0.53 sec][Host: roadshields.waze.com][bytes ratio: -0.706 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/3 75.0/104.8 261/274 88.5/91.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.7/428.0 137/1678 26.0/650.9][URL: roadshields.waze.com/images/HD/CH2.png][StatusCode: 200][ContentType: image/png][UserAgent: /3.9.4.0][PLAIN TEXT (GET /images/HD/CH)] 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 91.126/TLS.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes][Goodput ratio: 64.9/67.7][0.40 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 32.2/74.5 53/188 24.3/68.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 162.4/167.5 572/602 176.8/200.3][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 23f1f6e2f0015c166df49fdab4280370 (INSECURE)][Cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA] 16 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][8 pkts/594 bytes <-> 7 pkts/771 bytes][Goodput ratio: 23.9/50.9][0.14 sec][Host: cres.waze.com][bytes ratio: -0.130 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.7/28.7 134/84 49.8/39.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 74.2/110.1 194/447 45.7/137.5][URL: cres.waze.com/lang_asr/lang.portuguese_br_asr][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /lang)] - 17 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 142/WhatsApp][cat: Chat/9][8 pkts/673 bytes <-> 7 pkts/668 bytes][Goodput ratio: 32.8/43.3][0.55 sec][bytes ratio: 0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/9 80.5/98.2 289/238 105.9/82.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.1/95.4 222/245 53.4/66.5][PLAIN TEXT (Android)] + 17 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 91.142/TLS.WhatsApp][cat: Chat/9][8 pkts/673 bytes <-> 7 pkts/668 bytes][Goodput ratio: 32.8/43.3][0.55 sec][bytes ratio: 0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/9 80.5/98.2 289/238 105.9/82.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.1/95.4 222/245 53.4/66.5][PLAIN TEXT (Android)] 18 TCP 10.8.0.1:45546 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/557 bytes <-> 7 pkts/771 bytes][Goodput ratio: 28.5/50.9][0.54 sec][Host: cres.waze.com][bytes ratio: -0.161 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 105.4/174.3 394/397 152.4/165.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 79.6/110.1 211/447 54.1/137.5][URL: cres.waze.com/newVconfig/1.0/3/prompts_conf.buf?rtserver-id=15][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /newV)] 19 TCP 10.8.0.1:45538 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/555 bytes <-> 7 pkts/771 bytes][Goodput ratio: 28.2/50.9][0.29 sec][Host: cres.waze.com][bytes ratio: -0.163 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 42.2/69.7 177/177 68.5/77.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 79.3/110.1 209/447 53.4/137.5][URL: cres.waze.com/lang_tts/lang.portuguese_br_tts?rtserver-id=15][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /lang)] 20 TCP 10.8.0.1:45552 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][7 pkts/552 bytes <-> 7 pkts/771 bytes][Goodput ratio: 27.8/50.9][0.23 sec][Host: cres.waze.com][bytes ratio: -0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 34.4/56.3 169/168 67.3/79.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 78.9/110.1 206/447 52.3/137.5][URL: cres.waze.com/langs/1.0/lang.portuguese_br?rtserver-id=15][StatusCode: 304][ContentType: ][UserAgent: /3.9.4.0][PLAIN TEXT (GET /langs/1.0/lang.portuguese)] diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index dd4e89f65..3efbecbdd 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -10,36 +10,36 @@ JA3 Host Stats: 1 10.8.0.1 6 - 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][Goodput ratio: 5.9/95.8][62.34 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 135.3/140.2 2165/2214 262.0/271.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57.4/1281.6 528/29696 36.0/3034.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][Goodput ratio: 5.9/95.8][62.34 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 135.3/140.2 2165/2214 262.0/271.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57.4/1281.6 528/29696 36.0/3034.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][Goodput ratio: 68.2/98.6][2.76 sec][bytes ratio: -0.912 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112.2/100.6 455/404 117.1/99.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 172.0/3745.8 590/18020 205.7/4699.9][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][Goodput ratio: 77.4/96.9][5.52 sec][bytes ratio: -0.750 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 103.7/138.1 1189/1223 219.9/217.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 240.4/1716.9 590/17734 233.4/3587.1][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][Server: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2013-10-31 00:00:00 - 2023-10-30 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][Goodput ratio: 47.8/97.5][2.62 sec][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 143.9/154.3 1031/979 260.1/240.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.5/2130.4 590/8901 135.5/2681.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][Goodput ratio: 56.3/98.1][3.76 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/5 382.9/399.3 1876/1875 577.4/571.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 127.6/2863.1 528/14373 150.1/4303.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][Goodput ratio: 66.3/97.1][1.48 sec][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 108.1/138.8 519/469 176.0/157.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 165.0/1864.5 590/8448 193.3/2710.5][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][Goodput ratio: 76.2/59.7][68.57 sec][bytes ratio: 0.305 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1424.5/790.5 16039/7189 2910.5/1472.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 228.8/134.1 590/3961 153.6/546.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][Goodput ratio: 77.4/96.9][5.52 sec][bytes ratio: -0.750 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 103.7/138.1 1189/1223 219.9/217.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 240.4/1716.9 590/17734 233.4/3587.1][TLSv1.2][Client: radcom.webex.com][JA3C: f9010d8c34749bdf7659b52227e6f91b][ServerNames: *.webex.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][Goodput ratio: 47.8/97.5][2.62 sec][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 143.9/154.3 1031/979 260.1/240.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.5/2130.4 590/8901 135.5/2681.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][Goodput ratio: 56.3/98.1][3.76 sec][bytes ratio: -0.915 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/5 382.9/399.3 1876/1875 577.4/571.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 127.6/2863.1 528/14373 150.1/4303.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][Goodput ratio: 66.3/97.1][1.48 sec][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 108.1/138.8 519/469 176.0/157.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 165.0/1864.5 590/8448 193.3/2710.5][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][Goodput ratio: 76.2/59.7][68.57 sec][bytes ratio: 0.305 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1424.5/790.5 16039/7189 2910.5/1472.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 228.8/134.1 590/3961 153.6/546.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 8 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][cat: VoIP/10][22 pkts/15356 bytes -> 0 pkts/0 bytes][Goodput ratio: 94.0/0.0][95.92 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1008/0 4782.7/0.0 32494/0 6932.3/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 698/0 698.0/0.0 698/0 0.0/0.0][PLAIN TEXT (REGISTER sip)] - 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][Goodput ratio: 65.2/80.4][21.38 sec][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 795.8/451.5 6005/3010 1690.7/777.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.2/276.2 432/3961 108.2/830.4][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][Goodput ratio: 55.4/90.0][41.17 sec][bytes ratio: -0.585 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3166.5/655.0 34507/5259 9150.7/1545.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 124.0/541.7 590/1502 148.6/614.4][TLSv1][Client: api.crittercism.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][Server: *.crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Certificate SHA-1: 68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18][Validity: 2015-01-14 00:00:00 - 2020-01-13 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][Goodput ratio: 64.2/93.8][3.96 sec][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 523.4/352.4 2070/1020 729.8/365.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.4/873.0 576/3993 178.5/1443.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][Goodput ratio: 69.5/94.5][1.07 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/51 159.6/194.8 357/356 154.1/125.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 187.0/990.0 576/3993 192.5/1507.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][Goodput ratio: 63.0/93.5][3.00 sec][bytes ratio: -0.657 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 385.3/312.0 2171/1116 743.4/395.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/827.6 528/2974 166.2/1098.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][Goodput ratio: 63.0/93.4][3.01 sec][bytes ratio: -0.656 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/16 385.9/312.5 2179/1125 745.9/385.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/825.0 528/2633 166.2/1028.2][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][Goodput ratio: 65.6/93.5][0.78 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 96.8/110.0 277/276 117.0/105.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/831.6 528/2581 172.4/1033.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.10 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 545.8/396.2 2119/1071 811.9/386.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.09 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 544.8/396.2 2066/1021 793.0/376.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][Goodput ratio: 63.0/91.7][4.04 sec][bytes ratio: -0.620 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 534.4/640.3 3074/2046 1047.8/713.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/648.7 528/3993 166.2/1254.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][Goodput ratio: 65.6/92.5][2.90 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 433.0/304.0 2119/1065 771.8/366.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/723.0 528/2633 172.4/919.0][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][Goodput ratio: 66.4/86.5][1.15 sec][bytes ratio: -0.449 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112.6/139.1 555/553 188.7/186.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 166.4/400.9 590/2581 167.4/757.6][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.40 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 126.6/190.1 512/509 170.3/159.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.32 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 117.8/180.3 470/468 157.2/150.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][4.59 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 304.9/639.3 1712/1786 557.1/738.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][Goodput ratio: 67.1/91.0][3.85 sec][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 389.4/620.7 1225/1224 477.2/510.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 171.1/604.4 590/3751 167.6/1199.5][TLSv1.2][Client: ssl.google-analytics.com][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][Server: *.google-analytics.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Organization: Google Inc][Certificate SHA-1: E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][Goodput ratio: 43.4/90.2][3.11 sec][bytes ratio: -0.662 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 263.0/413.2 1025/1231 416.0/511.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.4/549.8 380/2581 101.1/889.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.09 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/10 300.8/483.5 1105/1237 425.1/496.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.08 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 298.7/483.0 1096/1238 422.9/497.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][cat: Web/5][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][Goodput ratio: 66.2/90.6][0.77 sec][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125.4/128.6 463/394 174.1/138.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 168.7/574.4 448/2957 157.6/988.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Cisco Systems][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2010-02-19 22:39:26 - 2020-02-18 22:39:26][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][Goodput ratio: 13.6/92.3][4.09 sec][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/14 596.2/745.0 1927/1038 776.4/424.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.9/705.2 117/2896 22.0/1054.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2023-10-30 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] - 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][Goodput ratio: 15.4/93.5][4.08 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1018.2/992.3 2975/1922 1214.3/785.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 67.8/835.4 117/3961 23.2/1562.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][Goodput ratio: 65.2/80.4][21.38 sec][bytes ratio: -0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 795.8/451.5 6005/3010 1690.7/777.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.2/276.2 432/3961 108.2/830.4][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] + 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91.178/TLS.Amazon][cat: Web/5][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][Goodput ratio: 55.4/90.0][41.17 sec][bytes ratio: -0.585 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3166.5/655.0 34507/5259 9150.7/1545.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 124.0/541.7 590/1502 148.6/614.4][TLSv1][Client: api.crittercism.com][JA3C: 54ae5fcb0159e2ddf6a50e149221c7c7][ServerNames: *.crittercism.com,crittercism.com][JA3S: c800cea031c10ffe47e1d72c9264577a (INSECURE)][Certificate SHA-1: 68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18][Validity: 2015-01-14 00:00:00 - 2020-01-13 23:59:59][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][Goodput ratio: 64.2/93.8][3.96 sec][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 523.4/352.4 2070/1020 729.8/365.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 157.4/873.0 576/3993 178.5/1443.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][Goodput ratio: 69.5/94.5][1.07 sec][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 4/51 159.6/194.8 357/356 154.1/125.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 187.0/990.0 576/3993 192.5/1507.6][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][Goodput ratio: 63.0/93.5][3.00 sec][bytes ratio: -0.657 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 385.3/312.0 2171/1116 743.4/395.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/827.6 528/2974 166.2/1098.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][Goodput ratio: 63.0/93.4][3.01 sec][bytes ratio: -0.656 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/16 385.9/312.5 2179/1125 745.9/385.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/825.0 528/2633 166.2/1028.2][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][Goodput ratio: 65.6/93.5][0.78 sec][bytes ratio: -0.670 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 96.8/110.0 277/276 117.0/105.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/831.6 528/2581 172.4/1033.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.10 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 545.8/396.2 2119/1071 811.9/386.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][Goodput ratio: 68.4/94.2][3.09 sec][bytes ratio: -0.677 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 544.8/396.2 2066/1021 793.0/376.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 180.1/933.6 528/3961 178.9/1446.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][Goodput ratio: 63.0/91.7][4.04 sec][bytes ratio: -0.620 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 534.4/640.3 3074/2046 1047.8/713.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 152.1/648.7 528/3993 166.2/1254.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][Goodput ratio: 65.6/92.5][2.90 sec][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 433.0/304.0 2119/1065 771.8/366.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 164.4/723.0 528/2633 172.4/919.0][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][Goodput ratio: 66.4/86.5][1.15 sec][bytes ratio: -0.449 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 112.6/139.1 555/553 188.7/186.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 166.4/400.9 590/2581 167.4/757.6][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 21 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.40 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 126.6/190.1 512/509 170.3/159.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][1.32 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 117.8/180.3 470/468 157.2/150.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 23 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][Goodput ratio: 65.8/87.5][4.59 sec][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 304.9/639.3 1712/1786 557.1/738.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 163.5/432.5 590/3961 167.4/1117.3][TLSv1][JA3C: 64ea4359ad4b496db653a3f30f7073e6][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/TLS.Google][cat: Web/5][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][Goodput ratio: 67.1/91.0][3.85 sec][bytes ratio: -0.517 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 389.4/620.7 1225/1224 477.2/510.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 171.1/604.4 590/3751 167.6/1199.5][TLSv1.2][Client: ssl.google-analytics.com][JA3C: 75edb912bc6f0a222ae3e3e47f5c89b1][ServerNames: *.google-analytics.com,app-measurement.com,google-analytics.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googletagmanager.com][JA3S: 389ed42c02ebecc32e73aa31def07e14][Organization: Google Inc][Certificate SHA-1: E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D][Validity: 2015-09-29 19:00:07 - 2015-12-28 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][Goodput ratio: 43.4/90.2][3.11 sec][bytes ratio: -0.662 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 263.0/413.2 1025/1231 416.0/511.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.4/549.8 380/2581 101.1/889.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 26 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.09 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/10 300.8/483.5 1105/1237 425.1/496.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 27 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][Goodput ratio: 46.2/91.3][4.08 sec][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 298.7/483.0 1096/1238 422.9/497.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][Goodput ratio: 66.2/90.6][0.77 sec][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125.4/128.6 463/394 174.1/138.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 168.7/574.4 448/2957 157.6/988.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: www.webex.com.au,www.webex.ca,www.webex.de,www.webex.com.hk,www.webex.co.in,www.webex.co.it,www.webex.co.jp,www.webex.com.mx,www.webex.co.uk,m.webex.com,signup.webex.com,signup.webex.co.uk,signup.webex.de,mytrial.webex.com,mytrial.webex.com.mx,mytrial.webex.co.in,mytrial.webex.com.au,mytrial.webex.co.jp,support.webex.com,howdoi.webex.com,kb.webex.com,myresources.webex.com,invoices.webex.com,try.webex.com,buyonline.webex.com,buyonline.webex.de,buyonline.webex.co.uk,tempbol.webex.com,tempsupport.webex.com,www.webex.com,webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Cisco Systems][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2014-12-18 08:27:59 - 2016-02-19 21:32:06][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][Goodput ratio: 13.6/92.3][4.09 sec][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/14 596.2/745.0 1927/1038 776.4/424.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.9/705.2 117/2896 22.0/1054.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] + 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][Goodput ratio: 15.4/93.5][4.08 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1018.2/992.3 2975/1922 1214.3/785.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 67.8/835.4 117/3961 23.2/1562.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][ServerNames: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes][Goodput ratio: 61.7/44.2][0.54 sec][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 77.1/76.9 283/252 98.2/86.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 146.5/96.8 590/396 160.9/101.6][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1388 bytes <-> 10 pkts/1087 bytes][Goodput ratio: 59.6/50.3][13.16 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1644.0/1878.7 10453/11491 3421.2/3952.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 138.8/108.7 590/472 162.8/127.1][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 33 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][9 pkts/1357 bytes <-> 9 pkts/615 bytes][Goodput ratio: 62.7/20.9][59.53 sec][bytes ratio: 0.376 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8503.6/9920.5 59268/59268 20724.6/22069.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 150.8/68.3 590/183 167.8/40.5][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index bd042a8e0..9f7801469 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -19,36 +19,36 @@ JA3 Host Stats: 1 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 91.197/TLS.WeChat][cat: Chat/9][88 pkts/15114 bytes <-> 91 pkts/61842 bytes][Goodput ratio: 61.6/90.3][553.47 sec][bytes ratio: -0.607 (Download)][IAT c2s/s2c min/avg/max/stddev: 5/11 6995.1/5836.8 150373/150695 18891.6/18424.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.8/679.6 264/1254 98.8/593.7] - 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][Goodput ratio: 75.8/95.0][15.73 sec][bytes ratio: -0.619 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 403.2/151.4 10035/951 1616.4/288.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 273.4/1335.6 1306/4350 407.2/922.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][Goodput ratio: 86.2/92.3][23.11 sec][bytes ratio: -0.247 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 537.5/311.6 9999/7018 1832.7/1162.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 479.2/862.7 1306/4059 492.4/921.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][Goodput ratio: 71.7/93.4][27.77 sec][bytes ratio: -0.594 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 559.3/53.8 8107/380 1791.8/116.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.1/1003.2 1306/1494 368.4/649.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][Goodput ratio: 81.6/93.0][14.74 sec][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168.3/172.3 1085/1495 276.4/328.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 360.5/946.2 1306/1754 450.4/673.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][Goodput ratio: 78.8/93.0][28.03 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1291.5/951.0 9696/8423 2839.9/2427.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312.7/951.5 1306/2922 423.4/963.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][Goodput ratio: 87.2/86.4][38.16 sec][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1114.3/1109.9 15327/15635 3311.0/3567.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 516.4/486.9 1306/1754 494.4/579.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][Goodput ratio: 82.2/92.9][13.58 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 776.9/120.1 9999/394 2313.0/166.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.7/938.0 1306/5892 453.9/1304.2][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][Goodput ratio: 82.2/93.3][22.24 sec][bytes ratio: -0.392 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1173.5/415.8 10039/3644 2412.0/984.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.6/994.3 1306/8291 453.8/1870.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][Goodput ratio: 89.0/80.8][31.02 sec][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1264.8/1400.8 15319/15624 3541.0/3988.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 605.0/346.1 1494/1494 586.5/471.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][Goodput ratio: 86.2/84.1][47.29 sec][bytes ratio: 0.207 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1387.8/1930.0 15313/15715 3511.0/4240.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 482.5/417.5 1306/1754 480.2/530.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][Goodput ratio: 85.7/85.5][22.50 sec][bytes ratio: 0.105 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1165.0/785.7 10037/4544 2455.0/1496.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 463.3/459.0 1306/1754 478.0/578.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][Goodput ratio: 62.6/93.6][13.04 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1231.5/212.8 9996/1647 2943.7/472.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 178.2/1048.3 1153/3182 289.6/878.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2013-11-05 21:36:50 - 2022-05-20 21:36:50][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][Goodput ratio: 82.8/83.7][47.03 sec][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 2592.2/2688.5 15693/16086 4162.8/4915.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 386.7/410.9 1306/1754 451.5/550.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][Goodput ratio: 84.2/83.8][25.19 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1502.7/1316.1 9999/7806 2987.1/2505.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 419.9/410.4 1306/1494 461.7/506.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.52 sec][bytes ratio: 0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 930.8/134.0 9811/287 2680.9/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.0/460.7 1306/1494 463.0/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.77 sec][bytes ratio: 0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 946.7/155.4 9639/333 2625.9/153.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 429.2/460.7 1306/1494 462.8/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][Goodput ratio: 78.4/86.3][14.48 sec][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1139.8/318.4 10004/1570 2698.0/529.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 308.5/492.1 1306/1798 406.0/692.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][Goodput ratio: 79.8/84.4][22.95 sec][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2021.5/1535.6 10879/11228 3975.6/3666.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 330.4/427.9 1306/1494 415.8/540.7][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][Goodput ratio: 82.3/86.6][11.54 sec][bytes ratio: -0.051 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 140.3/135.6 356/292 157.1/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 376.3/500.4 1306/1754 434.4/627.5][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/TLS.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][Goodput ratio: 66.7/90.0][72.13 sec][bytes ratio: -0.544 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7939.3/7944.1 44960/45306 14472.3/14556.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 167.1/565.6 571/3484 197.3/986.9][TLSv1.2][Client: res.wx.qq.com][JA3C: 550dce18de1bb143e69d6dd9413b8355][Server: wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2 (WEAK)][Organization: Shenzhen Tencent Computer Systems Company Limited][Certificate SHA-1: 67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9][Validity: 2016-05-10 00:00:00 - 2018-08-09 23:59:59][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384] - 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/TLS.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][Goodput ratio: 53.1/82.0][135.40 sec][bytes ratio: -0.444 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6942.5/6941.6 45055/45055 16248.7/16249.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 141.9/368.7 895/1484 195.7/525.4][TLSv1.2][Client: safebrowsing.googleusercontent.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][Server: *.googleusercontent.com][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][Organization: Google Inc][Certificate SHA-1: 8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53][Validity: 2017-04-05 17:14:46 - 2017-06-28 16:57:00][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] + 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][Goodput ratio: 75.8/95.0][15.73 sec][bytes ratio: -0.619 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 403.2/151.4 10035/951 1616.4/288.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 273.4/1335.6 1306/4350 407.2/922.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][Goodput ratio: 86.2/92.3][23.11 sec][bytes ratio: -0.247 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 537.5/311.6 9999/7018 1832.7/1162.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 479.2/862.7 1306/4059 492.4/921.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][Goodput ratio: 71.7/93.4][27.77 sec][bytes ratio: -0.594 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 559.3/53.8 8107/380 1791.8/116.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.1/1003.2 1306/1494 368.4/649.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][Goodput ratio: 81.6/93.0][14.74 sec][bytes ratio: -0.506 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 168.3/172.3 1085/1495 276.4/328.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 360.5/946.2 1306/1754 450.4/673.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][Goodput ratio: 78.8/93.0][28.03 sec][bytes ratio: -0.475 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1291.5/951.0 9696/8423 2839.9/2427.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 312.7/951.5 1306/2922 423.4/963.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][Goodput ratio: 87.2/86.4][38.16 sec][bytes ratio: 0.181 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1114.3/1109.9 15327/15635 3311.0/3567.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 516.4/486.9 1306/1754 494.4/579.4][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][Goodput ratio: 82.2/92.9][13.58 sec][bytes ratio: -0.411 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 776.9/120.1 9999/394 2313.0/166.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.7/938.0 1306/5892 453.9/1304.2][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][Goodput ratio: 82.2/93.3][22.24 sec][bytes ratio: -0.392 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1173.5/415.8 10039/3644 2412.0/984.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 372.6/994.3 1306/8291 453.8/1870.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][Goodput ratio: 89.0/80.8][31.02 sec][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1264.8/1400.8 15319/15624 3541.0/3988.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 605.0/346.1 1494/1494 586.5/471.8][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][Goodput ratio: 86.2/84.1][47.29 sec][bytes ratio: 0.207 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1387.8/1930.0 15313/15715 3511.0/4240.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 482.5/417.5 1306/1754 480.2/530.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][Goodput ratio: 85.7/85.5][22.50 sec][bytes ratio: 0.105 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1165.0/785.7 10037/4544 2455.0/1496.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 463.3/459.0 1306/1754 478.0/578.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][Goodput ratio: 62.6/93.6][13.04 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1231.5/212.8 9996/1647 2943.7/472.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 178.2/1048.3 1153/3182 289.6/878.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][Goodput ratio: 82.8/83.7][47.03 sec][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 2592.2/2688.5 15693/16086 4162.8/4915.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 386.7/410.9 1306/1754 451.5/550.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][Goodput ratio: 84.2/83.8][25.19 sec][bytes ratio: 0.122 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1502.7/1316.1 9999/7806 2987.1/2505.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 419.9/410.4 1306/1494 461.7/506.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.52 sec][bytes ratio: 0.120 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 930.8/134.0 9811/287 2680.9/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.0/460.7 1306/1494 463.0/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][Goodput ratio: 84.5/85.5][11.77 sec][bytes ratio: 0.119 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 946.7/155.4 9639/333 2625.9/153.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 429.2/460.7 1306/1494 462.8/553.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][Goodput ratio: 78.4/86.3][14.48 sec][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 1139.8/318.4 10004/1570 2698.0/529.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 308.5/492.1 1306/1798 406.0/692.3][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][Goodput ratio: 79.8/84.4][22.95 sec][bytes ratio: -0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2021.5/1535.6 10879/11228 3975.6/3666.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 330.4/427.9 1306/1494 415.8/540.7][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][Goodput ratio: 82.3/86.6][11.54 sec][bytes ratio: -0.051 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 140.3/135.6 356/292 157.1/129.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 376.3/500.4 1306/1754 434.4/627.5][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/TLS.QQ][cat: Chat/9][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][Goodput ratio: 66.7/90.0][72.13 sec][bytes ratio: -0.544 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7939.3/7944.1 44960/45306 14472.3/14556.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 167.1/565.6 571/3484 197.3/986.9][TLSv1.2][Client: res.wx.qq.com][JA3C: 550dce18de1bb143e69d6dd9413b8355][ServerNames: wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com][JA3S: 290adf098a54ade688d1df074dbecbf2 (WEAK)][Organization: Shenzhen Tencent Computer Systems Company Limited][Certificate SHA-1: 67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9][Validity: 2016-05-10 00:00:00 - 2018-08-09 23:59:59][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384] + 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.126/TLS.Google][cat: Web/5][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][Goodput ratio: 53.1/82.0][135.40 sec][bytes ratio: -0.444 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6942.5/6941.6 45055/45055 16248.7/16249.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 141.9/368.7 895/1484 195.7/525.4][TLSv1.2][Client: safebrowsing.googleusercontent.com][JA3C: d551fafc4f40f1dec2bb45980bfa9492][ServerNames: *.googleusercontent.com,*.apps.googleusercontent.com,*.appspot.com.storage.googleapis.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.googleweblight.com,*.safenup.googleusercontent.com,*.sandbox.googleusercontent.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.googleapis.com,*.storage.select.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,googleweblight.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news][JA3S: d655f7cd00e93ea8969c3c6e06f0156f][Organization: Google Inc][Certificate SHA-1: 8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53][Validity: 2017-04-05 17:14:46 - 2017-06-28 16:57:00][Cipher: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] 23 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Goodput ratio: 91.6/92.4][0.18 sec][Host: ssl.gstatic.com][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/0 26.8/2.0 76/4 27.2/1.4][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 501.0/554.8 1392/1392 573.8/598.8][PLAIN TEXT (ssl.gstatic.com)] 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.241/QUIC.GoogleDocs][cat: Collaborative/15][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Goodput ratio: 90.6/86.1][1.33 sec][Host: docs.google.com][bytes ratio: 0.117 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.2/248.4 55/1178 23.0/465.4][Pkt Len c2s/s2c min/avg/max/stddev: 77/70 447.8/303.6 1392/1392 532.3/455.1][PLAIN TEXT (docs.google.comr)] - 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][27.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3427.9/1426.0 19999/5411 6454.5/2303.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][30.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3812.8/2235.0 20004/5405 6348.0/2330.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][Goodput ratio: 35.2/85.5][24.98 sec][bytes ratio: -0.564 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3076.0/848.4 20000/3092 6447.6/1206.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/462.9 304/1494 76.6/600.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][13.33 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1665.2/361.5 10763/1441 3452.6/623.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][20.54 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2567.1/79.5 19243/317 6304.7/137.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][11.97 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1495.8/89.5 10477/358 3399.0/155.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][9 pkts/966 bytes <-> 6 pkts/3571 bytes][Goodput ratio: 37.6/88.7][11.54 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1592.0/136.7 10023/410 3446.3/193.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107.3/595.2 304/1754 79.7/731.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][Server: web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][27.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3427.9/1426.0 19999/5411 6454.5/2303.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][Goodput ratio: 35.2/85.3][30.78 sec][bytes ratio: -0.565 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 3812.8/2235.0 20004/5405 6348.0/2330.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/463.9 304/1754 76.6/673.1][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][Goodput ratio: 35.2/85.5][24.98 sec][bytes ratio: -0.564 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3076.0/848.4 20000/3092 6447.6/1206.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/462.9 304/1494 76.6/600.9][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 28 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][13.33 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1665.2/361.5 10763/1441 3452.6/623.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 29 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][20.54 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2567.1/79.5 19243/317 6304.7/137.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 30 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][Goodput ratio: 35.2/87.1][11.97 sec][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1495.8/89.5 10477/358 3399.0/155.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/519.6 304/1494 76.6/622.0][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][9 pkts/966 bytes <-> 6 pkts/3571 bytes][Goodput ratio: 37.6/88.7][11.54 sec][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1592.0/136.7 10023/410 3446.3/193.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107.3/595.2 304/1754 79.7/731.6][TLSv1.2][Client: web.wechat.com][JA3C: e330bca99c8a5256ae126a55c4c725c5][ServerNames: webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com][JA3S: 699a80bdb17efe157c861f92c5bf5d1d][Organization: Tencent Mobility Limited][Certificate SHA-1: 4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1][Validity: 2015-09-21 00:00:00 - 2018-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 32 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/4488 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.2/0.0][3914.88 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6683.7/0.0 41917/0 11731.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 102.0/0.0 102/0 0.0/0.0][PLAIN TEXT (googlecast)] 33 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][cat: Web/5][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Goodput ratio: 89.6/89.1][0.12 sec][Host: ssl.gstatic.com][bytes ratio: 0.025 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 24.0/16.0 53/47 24.3/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 80/72 407.0/387.4 1392/1392 507.8/512.0][PLAIN TEXT (ssl.gstatic.com)] 34 UDP 192.168.1.103:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][44 pkts/3608 bytes -> 0 pkts/0 bytes][Goodput ratio: 48.8/0.0][3914.88 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6683.7/0.0 41917/0 11731.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 82.0/0.0 82/0 0.0/0.0][PLAIN TEXT (googlecast)] diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index 867dd4950..70899b950 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -12,7 +12,7 @@ JA3 Host Stats: 1 TCP 192.168.1.105:35803 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][52 pkts/5367 bytes <-> 54 pkts/71536 bytes][Goodput ratio: 32.8/95.0][1.44 sec][Host: img.t.sinajs.cn][bytes ratio: -0.860 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 29.0/29.3 400/372 66.4/64.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103.2/1324.7 533/4374 116.5/822.8][URL: img.t.sinajs.cn/t6/style/css/module/base/frame.css?version=201605130537][StatusCode: 200][ContentType: text/css][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/css/module/base/f)] 2 TCP 192.168.1.105:35804 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][32 pkts/3624 bytes <-> 40 pkts/50657 bytes][Goodput ratio: 37.8/94.8][1.33 sec][Host: img.t.sinajs.cn][bytes ratio: -0.866 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.7/38.7 314/338 88.7/81.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 113.2/1266.4 549/2938 132.2/620.2][URL: img.t.sinajs.cn/t6/style/css/module/combination/comb_login.css?version=201605130537][StatusCode: 200][ContentType: text/css][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/css/module/combin)] - 3 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][40 pkts/3462 bytes <-> 39 pkts/34030 bytes][Goodput ratio: 13.0/92.4][0.82 sec][Host: www.weibo.com][bytes ratio: -0.815 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/22.7 482/454 83.8/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 86.6/872.6 516/2938 69.2/915.2][URL: www.weibo.com/login.php?lang=en-us][StatusCode: 200][ContentType: text/html][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /login.php)] + 3 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][40 pkts/3462 bytes <-> 39 pkts/34030 bytes][Goodput ratio: 13.0/92.4][0.82 sec][Host: www.weibo.com][bytes ratio: -0.815 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24.9/22.7 482/454 83.8/80.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 86.6/872.6 516/2938 69.2/915.2][URL: www.weibo.com/login.php?lang=en-us][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /login.php)] 4 TCP 192.168.1.105:35807 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][27 pkts/2298 bytes <-> 26 pkts/34170 bytes][Goodput ratio: 21.1/95.0][0.53 sec][Host: img.t.sinajs.cn][bytes ratio: -0.874 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 23.0/21.8 183/162 50.2/47.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 85.1/1314.2 550/1502 91.2/448.1][URL: img.t.sinajs.cn/t6/style/images/growth/login/sprite_login.png?13434210384389][StatusCode: 200][ContentType: image/png][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/images/growth/log)] 5 TCP 192.168.1.105:35805 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][21 pkts/2323 bytes <-> 20 pkts/20922 bytes][Goodput ratio: 37.4/93.6][1.37 sec][Host: img.t.sinajs.cn][bytes ratio: -0.800 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 71.8/74.7 375/438 115.7/123.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 110.6/1046.1 525/1502 126.8/556.9][URL: img.t.sinajs.cn/t6/skin/default/skin.css?version=201605130537][StatusCode: 200][ContentType: text/css][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/skin/default/skin.css)] 6 TCP 192.168.1.105:35809 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][18 pkts/1681 bytes <-> 17 pkts/20680 bytes][Goodput ratio: 28.1/94.5][0.56 sec][Host: img.t.sinajs.cn][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 32.1/37.9 252/181 64.0/50.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 93.4/1216.5 539/1502 108.1/525.5][URL: img.t.sinajs.cn/t6/style/images/common/font/wbficon.woff?id=201605111746][StatusCode: 200][ContentType: application/x-font-woff][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /t6/style/images/common/fon)] @@ -22,7 +22,7 @@ JA3 Host Stats: 10 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][cat: Web/5][5 pkts/736 bytes <-> 4 pkts/863 bytes][Goodput ratio: 60.5/73.5][1.05 sec][Host: weibo.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/347 175.8/347.5 353/348 174.3/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 147.2/215.8 500/689 176.6/273.3][URL: weibo.com/login.php?lang=en-us][StatusCode: 301][ContentType: text/html][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /login.php)] 11 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/604 bytes <-> 2 pkts/140 bytes][Goodput ratio: 65.8/0.0][0.46 sec][Host: js.t.sinajs.cn][URL: js.t.sinajs.cn/t5/register/js/v6/pl/base.js?version=201605130537][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (KGET /t)] 12 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][cat: SocialNetwork/6][3 pkts/610 bytes <-> 1 pkts/66 bytes][Goodput ratio: 70.0/0.0][0.38 sec][Host: u1.img.mobile.sina.cn][URL: u1.img.mobile.sina.cn/public/files/image/620x300_img5653d57c6dab2.png][StatusCode: 0][ContentType: ][UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36][PLAIN TEXT (GET /public/files/image/620)] - 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][Goodput ratio: 52.2/0.0][0.16 sec][TLSv1][Client: g.alicdn.com][JA3C: 58e7f64db6e4fe4941dd9691d421196c][PLAIN TEXT (g.alicdn.com)] + 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][3 pkts/382 bytes <-> 1 pkts/66 bytes][Goodput ratio: 52.2/0.0][0.16 sec][TLSv1.2][Client: g.alicdn.com][JA3C: 58e7f64db6e4fe4941dd9691d421196c][PLAIN TEXT (g.alicdn.com)] 14 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/75 bytes <-> 1 pkts/191 bytes][Goodput ratio: 43.4/77.6][0.11 sec][Host: img.t.sinajs.cn] 15 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/74 bytes <-> 1 pkts/190 bytes][Goodput ratio: 42.7/77.5][0.54 sec][Host: js.t.sinajs.cn] 16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/171 bytes][Goodput ratio: 41.1/75.0][0.19 sec][Host: g.alicdn.com][PLAIN TEXT (alicdn)] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index e3aceafa2..d16cec350 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -1,3 +1,4 @@ +Unknown 180 24874 1 HTTP 11 726 3 MDNS 8 952 4 DHCP 10 3420 1 @@ -6,7 +7,7 @@ ICMP 10 700 1 TLS 8 589 2 Dropbox 4 2176 1 Apple 212 56189 22 -WhatsApp 182 25154 2 +WhatsApp 2 280 1 Spotify 3 258 1 JA3 Host Stats: @@ -16,58 +17,61 @@ JA3 Host Stats: 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][Goodput ratio: 71.1/54.9][9.73 sec][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 40.5/33.0 198/347 51.1/47.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145.3/93.1 525/488 100.0/64.5][PLAIN TEXT (zTdFPOk)] 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][Goodput ratio: 66.2/81.4][7.74 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 47.8/124.4 307/539 62.9/96.2][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124.3/226.1 484/552 75.0/128.5] - 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][Goodput ratio: 55.1/48.0][134.29 sec][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1384.9/1865.5 28162/28146 4416.3/5104.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147.1/127.0 1506/754 238.5/99.0][PLAIN TEXT (iPhone)] - 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86.5/80.2][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 121.7/107.9 1665/1391 339.6/319.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 84.8/90.3][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1908.9/36.8 30435/294 7133.2/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][Server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2014-03-08 01:53:04 - 2029-03-08 01:53:04][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 84.7/76.8][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.8/42.0 225/228 76.0/80.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] - 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][Goodput ratio: 78.4/79.7][29.18 sec][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2192.2/2121.8 18656/18299 5822.2/5720.0][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] - 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][59.94 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] - 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79.4/59.8][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1922.9/792.0 6986/6468 2906.0/2008.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] - 11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][90.14 sec][PLAIN TEXT ( 3375359593)] - 12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][Goodput ratio: 47.4/39.1][0.94 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 104.7/100.3 275/162 108.0/46.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5] - 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][8.85 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.8/0.0 667/0 13.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] - 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][6.95 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] - 15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.9/0.0][43.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0] - 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 18 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 22 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] - 23 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 24 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 25 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec][PLAIN TEXT (ay.OF@)] - 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] - 30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes][Goodput ratio: 0.0/39.0][0.03 sec] - 31 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes][Goodput ratio: 0.0/0.0][0.20 sec] - 32 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Goodput ratio: 46.3/82.9][0.07 sec][Host: query.ess.apple.com][PLAIN TEXT (akadns)] - 33 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e13.whatsapp.net][PLAIN TEXT (whatsapp)] - 34 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.0/0.0][77.07 sec][PLAIN TEXT (SpotUdp)] - 35 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] - 36 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] - 37 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] - 38 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] - 39 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] - 40 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] - 41 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/TLS][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.06 sec] - 42 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.28 sec] - 43 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] - 44 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] - 45 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] - 46 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] - 47 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] - 48 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] - 49 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.22 sec] - 50 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.05 sec] - 51 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] - 52 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] - 53 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] - 54 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] - 55 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] - 56 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] - 57 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 3 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][Goodput ratio: 86.5/80.2][34.28 sec][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 121.7/107.9 1665/1391 339.6/319.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 4 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][Goodput ratio: 84.8/90.3][32.84 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1908.9/36.8 30435/294 7133.2/81.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][ServerNames: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2015-05-06 01:09:47 - 2016-06-04 01:09:47][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 5 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][Goodput ratio: 84.7/76.8][0.94 sec][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 35.8/42.0 225/228 76.0/80.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] + 6 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][Goodput ratio: 84.6/39.2][125.45 sec][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12859.6/12856.5 101116/101113 33358.6/33358.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] + 7 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][Goodput ratio: 78.4/79.7][29.18 sec][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2192.2/2121.8 18656/18299 5822.2/5720.0][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] + 8 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][59.94 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] + 9 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][Goodput ratio: 79.4/59.8][14.33 sec][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1922.9/792.0 6986/6468 2906.0/2008.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] + 10 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][90.14 sec][PLAIN TEXT ( 3375359593)] + 11 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][Goodput ratio: 47.4/39.1][0.94 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 104.7/100.3 275/162 108.0/46.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5] + 12 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][8.85 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.8/0.0 667/0 13.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 13 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.1/0.0][6.95 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 14 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][Goodput ratio: 39.9/0.0][43.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0] + 15 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 16 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 17 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 18 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 19 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 20 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 21 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][29.18 sec] + 22 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 23 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 24 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec][PLAIN TEXT (ay.OF@)] + 25 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 26 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 27 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 28 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][14.33 sec] + 29 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes][Goodput ratio: 0.0/39.0][0.03 sec] + 30 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes][Goodput ratio: 0.0/0.0][0.20 sec] + 31 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Goodput ratio: 46.3/82.9][0.07 sec][Host: query.ess.apple.com][PLAIN TEXT (akadns)] + 32 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e13.whatsapp.net][PLAIN TEXT (whatsapp)] + 33 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][3 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.0/0.0][77.07 sec][PLAIN TEXT (SpotUdp)] + 34 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] + 35 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/258 bytes -> 0 pkts/0 bytes][Goodput ratio: 51.7/0.0][0.24 sec] + 36 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] + 37 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/218 bytes -> 0 pkts/0 bytes][Goodput ratio: 61.2/0.0][0.24 sec] + 38 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] + 39 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.03 sec] + 40 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/TLS][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.06 sec] + 41 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 42 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] + 43 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] + 44 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] + 45 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.30 sec] + 46 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] + 47 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.21 sec] + 48 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.22 sec] + 49 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.05 sec] + 50 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 51 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + 52 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.16 sec] + 53 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.17 sec] + 54 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] + 55 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.26 sec] + 56 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/TLS.Apple][cat: Web/5][2 pkts/108 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0.0/0.0][0.28 sec] + + +Undetected flows: + 1 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 0/Unknown][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][Goodput ratio: 55.1/48.0][134.29 sec][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1384.9/1865.5 28162/28146 4416.3/5104.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147.1/127.0 1506/754 238.5/99.0][PLAIN TEXT (iPhone)] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 59a9dce17..34936abdb 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -1,16 +1,20 @@ +Unknown 30 2963 1 MDNS 2 202 2 DHCP 6 2052 1 Dropbox 2 1088 1 Apple 50 23466 2 -WhatsApp 32 3243 2 +WhatsApp 2 280 1 Spotify 1 86 1 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes][Goodput ratio: 91.4/82.7][3.89 sec][bytes ratio: 0.415 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 179.5/27.0 2803/212 622.4/56.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629.9/312.7 1494/1002 544.4/369.6][PLAIN TEXT (BjmkLnl)] - 2 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][cat: Chat/9][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][Goodput ratio: 36.8/25.9][19.72 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)] - 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] - 4 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][25.29 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] - 5 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.04 sec][PLAIN TEXT ( 3375359593)] - 6 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e12.whatsapp.net][PLAIN TEXT (whatsapp)] - 7 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/111 bytes -> 0 pkts/0 bytes][Goodput ratio: 43.8/0.0][< 1 sec][PLAIN TEXT (airplay)] - 8 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 53.3/0.0][< 1 sec][PLAIN TEXT (airplay)] - 9 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 50.6/0.0][< 1 sec][PLAIN TEXT (SpotUdp)] + 2 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238.140/ApplePush.Apple][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][Goodput ratio: 81.1/0.0][20.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] + 3 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Goodput ratio: 87.7/0.0][25.29 sec][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] + 4 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92.2/0.0][30.04 sec][PLAIN TEXT ( 3375359593)] + 5 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][cat: Chat/9][1 pkts/76 bytes <-> 1 pkts/204 bytes][Goodput ratio: 44.2/79.0][0.03 sec][Host: e12.whatsapp.net][PLAIN TEXT (whatsapp)] + 6 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/111 bytes -> 0 pkts/0 bytes][Goodput ratio: 43.8/0.0][< 1 sec][PLAIN TEXT (airplay)] + 7 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 53.3/0.0][< 1 sec][PLAIN TEXT (airplay)] + 8 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 50.6/0.0][< 1 sec][PLAIN TEXT (SpotUdp)] + + +Undetected flows: + 1 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 0/Unknown][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][Goodput ratio: 36.8/25.9][19.72 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)] diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out index dfe3d9087..a8a374119 100644 --- a/tests/result/whatsapp_voice_and_message.pcap.out +++ b/tests/result/whatsapp_voice_and_message.pcap.out @@ -1,11 +1,12 @@ WhatsAppCall 44 5916 8 -WhatsApp 217 22139 5 +TLS 46 4990 1 +WhatsApp 171 17149 4 1 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][cat: Chat/9][30 pkts/2539 bytes <-> 32 pkts/3070 bytes][Goodput ratio: 35.4/43.7][47.83 sec][bytes ratio: -0.095 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1857.9/1709.0 28667/28718 5782.9/5581.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.6/95.9 299/559 55.4/94.3][PLAIN TEXT (Android)] - 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][cat: Chat/9][24 pkts/3029 bytes <-> 22 pkts/1961 bytes][Goodput ratio: 56.5/39.4][13.49 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 680.6/812.4 10696/10748 2366.1/2569.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.2/89.1 590/469 124.1/91.7][PLAIN TEXT (Android)] + 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 91/TLS][cat: Web/5][24 pkts/3029 bytes <-> 22 pkts/1961 bytes][Goodput ratio: 56.5/39.4][13.49 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 680.6/812.4 10696/10748 2366.1/2569.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.2/89.1 590/469 124.1/91.7][PLAIN TEXT (Android)] 3 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][cat: Chat/9][15 pkts/2690 bytes <-> 15 pkts/2019 bytes][Goodput ratio: 69.1/59.9][8.61 sec][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 717.0/767.1 8044/4043 2210.4/1535.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 179.3/134.6 590/1022 202.7/240.7][PLAIN TEXT (Android)] 4 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][cat: Chat/9][26 pkts/2311 bytes <-> 26 pkts/2300 bytes][Goodput ratio: 38.4/38.9][10.07 sec][bytes ratio: 0.002 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 495.5/397.2 6149/6160 1350.6/1325.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 88.9/88.5 299/308 58.4/60.8][PLAIN TEXT (Android)] - 5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][cat: Chat/9][14 pkts/1123 bytes <-> 13 pkts/1097 bytes][Goodput ratio: 30.9/36.0][1.34 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 96.3/113.5 318/331 104.1/95.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 80.2/84.4 231/286 43.9/62.4][PLAIN TEXT (Android)] + 5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 91.142/TLS.WhatsApp][cat: Chat/9][14 pkts/1123 bytes <-> 13 pkts/1097 bytes][Goodput ratio: 30.9/36.0][1.34 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 96.3/113.5 318/331 104.1/95.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 80.2/84.4 231/286 43.9/62.4][PLAIN TEXT (Android)] 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][5 pkts/840 bytes <-> 4 pkts/344 bytes][Goodput ratio: 74.9/51.0][60.68 sec][bytes ratio: 0.419 (Upload)][IAT c2s/s2c min/avg/max/stddev: 208/189 15170.2/209.7 60006/241 25885.9/22.5][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168.0/86.0 168/86 0.0/0.0] 7 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][58.83 sec] 8 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][Goodput ratio: 74.9/50.9][58.25 sec] diff --git a/tests/result/whatsappfiles.pcap.out b/tests/result/whatsappfiles.pcap.out index 31562abea..6ea83f436 100644 --- a/tests/result/whatsappfiles.pcap.out +++ b/tests/result/whatsappfiles.pcap.out @@ -6,4 +6,4 @@ JA3 Host Stats: 1 TCP 192.168.2.29:49698 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][132 pkts/9906 bytes <-> 178 pkts/237405 bytes][Goodput ratio: 11.8/95.0][7.27 sec][bytes ratio: -0.920 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 61.6/47.4 5775/5834 571.5/481.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75.0/1333.7 583/1464 51.0/391.7][TLSv1.2][Client: mmg-fna.whatsapp.net][JA3C: 4e1a414c4f4c99097edd2a9a98e336c8][JA3S: 96681175a9547081bf3d417f1a572091][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] - 2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][Goodput ratio: 94.4/31.7][110.02 sec][bytes ratio: 0.846 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 322.0/659.4 24639/64743 2277.8/6018.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 1175.1/105.6 1464/1464 540.1/167.3][TLSv1.2][Client: mmg-fna.whatsapp.net][JA3C: 107144b88827da5da9ed42d8776ccdc5][Server: *.whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: 10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB][Validity: 2017-04-26 00:00:00 - 2018-05-01 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.2.29:49674 <-> 185.60.216.53:443 [proto: 91.242/TLS.WhatsAppFiles][cat: Download-FileTransfer-FileSharing/7][161 pkts/189194 bytes <-> 149 pkts/15728 bytes][Goodput ratio: 94.4/31.7][110.02 sec][bytes ratio: 0.846 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 322.0/659.4 24639/64743 2277.8/6018.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 1175.1/105.6 1464/1464 540.1/167.3][TLSv1.2][Client: mmg-fna.whatsapp.net][JA3C: 107144b88827da5da9ed42d8776ccdc5][ServerNames: *.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net][JA3S: 2d1eb5817ece335c24904f516ad5da12][Organization: Facebook, Inc.][Certificate SHA-1: 10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB][Validity: 2017-04-26 00:00:00 - 2018-05-01 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/youtubeupload.pcap.out b/tests/result/youtubeupload.pcap.out index ce4a75468..f6b1856e6 100644 --- a/tests/result/youtubeupload.pcap.out +++ b/tests/result/youtubeupload.pcap.out @@ -7,4 +7,4 @@ JA3 Host Stats: 1 UDP 192.168.2.27:51925 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][80 pkts/100473 bytes <-> 20 pkts/6003 bytes][Goodput ratio: 96.7/86.0][3.49 sec][Host: upload.youtube.com][bytes ratio: 0.887 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.0/249.2 1825/1883 216.5/551.3][Pkt Len c2s/s2c min/avg/max/stddev: 77/58 1255.9/300.1 1392/1392 385.3/473.5][PLAIN TEXT (upload.youtube.comQ)] 2 UDP 192.168.2.27:62232 <-> 172.217.23.111:443 [proto: 188.136/QUIC.YouTubeUpload][cat: Media/1][13 pkts/8651 bytes <-> 11 pkts/6463 bytes][Goodput ratio: 93.7/92.8][16.89 sec][Host: upload.youtube.com][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1666.9/2090.5 14942/15097 4450.3/4940.9][Pkt Len c2s/s2c min/avg/max/stddev: 65/60 665.5/587.5 1392/1392 633.6/618.0][PLAIN TEXT (upload.youtube.comQ)] - 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/TLS.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][Goodput ratio: 45.4/91.9][0.12 sec][bytes ratio: -0.762 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.5/11.8 57/39 23.4/15.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 108.2/685.6 256/1484 73.1/634.0][TLSv1.2][Client: upload.youtube.com][JA3C: bc6c386f480ee97b9d9e52d472b772d8][Server: upload.video.google.com][JA3S: b26c652e0a402a24b5ca2a660e84f9d5][Organization: Google Inc][Certificate SHA-1: EE:3E:32:FB:B1:2E:82:EE:DF:FF:C0:1B:27:CD:BF:D8:8A:CB:BD:63][Validity: 2017-11-01 13:50:15 - 2018-01-24 13:31:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.2.27:57452 <-> 172.217.23.111:443 [proto: 91.136/TLS.YouTubeUpload][cat: Media/1][6 pkts/649 bytes <-> 7 pkts/4799 bytes][Goodput ratio: 45.4/91.9][0.12 sec][bytes ratio: -0.762 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21.5/11.8 57/39 23.4/15.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 108.2/685.6 256/1484 73.1/634.0][TLSv1.2][Client: upload.youtube.com][JA3C: bc6c386f480ee97b9d9e52d472b772d8][ServerNames: upload.video.google.com,*.clients.google.com,*.docs.google.com,*.drive.google.com,*.gdata.youtube.com,*.googleapis.com,*.photos.google.com,*.upload.google.com,*.upload.youtube.com,*.youtube-3rd-party.com,upload.google.com,upload.youtube.com,uploads.stage.gdata.youtube.com][JA3S: b26c652e0a402a24b5ca2a660e84f9d5][Organization: Google Inc][Certificate SHA-1: EE:3E:32:FB:B1:2E:82:EE:DF:FF:C0:1B:27:CD:BF:D8:8A:CB:BD:63][Validity: 2017-11-01 13:50:15 - 2018-01-24 13:31:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out index a006ae7a6..dff863194 100644 --- a/tests/result/zoom.pcap.out +++ b/tests/result/zoom.pcap.out @@ -17,14 +17,14 @@ JA3 Host Stats: 1 UDP 192.168.1.117:58327 <-> 109.94.160.99:8801 [proto: 189/Zoom][cat: Video/26][10 pkts/7806 bytes <-> 175 pkts/184434 bytes][Goodput ratio: 94.6/96.0][1.44 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13.8/7.8 32/35 10.6/4.6][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 780.6/1053.9 1071/1071 444.1/129.4][PLAIN TEXT (replace)] - 2 TCP 192.168.1.117:54871 <-> 109.94.160.99:443 [proto: 91.189/TLS.Zoom][cat: Video/26][127 pkts/54118 bytes <-> 83 pkts/17526 bytes][Goodput ratio: 84.5/68.6][2.00 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.9/9.2 950/156 93.0/23.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 426.1/211.2 1506/1506 458.2/363.6][TLSv1.2][Client: zoomfrn99mmr.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 3 TCP 192.168.1.117:54866 <-> 52.202.62.236:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/3097 bytes <-> 17 pkts/18622 bytes][Goodput ratio: 71.3/94.9][0.61 sec][bytes ratio: -0.715 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32.5/27.5 114/143 46.8/50.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 193.6/1095.4 864/1506 265.3/617.8][TLSv1.2][Client: www3.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][Server: *.zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 4 TCP 192.168.1.117:54865 <-> 52.202.62.196:443 [proto: 91.189/TLS.Zoom][cat: Video/26][15 pkts/2448 bytes <-> 15 pkts/16505 bytes][Goodput ratio: 65.9/94.9][0.50 sec][bytes ratio: -0.742 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/21.7 112/136 46.2/45.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 163.2/1100.3 687/1506 200.1/622.5][TLSv1.2][Client: zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][Server: *.zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 5 TCP 192.168.1.117:54868 <-> 213.19.144.104:443 [proto: 91.189/TLS.Zoom][cat: Video/26][17 pkts/2534 bytes <-> 13 pkts/7180 bytes][Goodput ratio: 56.2/88.0][0.41 sec][bytes ratio: -0.478 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/41.1 87/168 27.5/61.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149.1/552.3 642/1506 174.8/611.7][TLSv1.2][Client: zoomam104zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 192.168.1.117:54869 <-> 213.244.140.85:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2480 bytes <-> 13 pkts/7182 bytes][Goodput ratio: 57.4/88.0][0.39 sec][bytes ratio: -0.487 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.3/40.9 202/224 51.8/71.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 155.0/552.5 642/1506 178.5/611.7][TLSv1.2][Client: zoomfr85zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 7 TCP 192.168.1.117:54867 <-> 213.19.144.105:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2468 bytes <-> 13 pkts/7188 bytes][Goodput ratio: 57.7/88.0][0.42 sec][bytes ratio: -0.489 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.2/42.6 147/178 40.5/63.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154.2/552.9 642/1506 178.9/611.6][TLSv1.2][Client: zoomam105zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 8 TCP 192.168.1.117:54870 <-> 213.244.140.84:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/1832 bytes <-> 12 pkts/6702 bytes][Goodput ratio: 44.3/88.1][0.38 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/40.2 187/280 49.0/91.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 114.5/558.5 583/1506 129.0/636.0][TLSv1.2][Client: zoomfr84zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][Server: *.zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 9 TCP 192.168.1.117:54864 <-> 52.202.62.238:443 [proto: 91.189/TLS.Zoom][cat: Video/26][10 pkts/2030 bytes <-> 8 pkts/6283 bytes][Goodput ratio: 72.2/92.8][0.47 sec][bytes ratio: -0.512 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 58.5/40.3 110/131 49.6/57.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 203.0/785.4 812/1506 256.3/675.1][TLSv1.2][Client: log.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][Server: *.zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 2 TCP 192.168.1.117:54871 <-> 109.94.160.99:443 [proto: 91.189/TLS.Zoom][cat: Video/26][127 pkts/54118 bytes <-> 83 pkts/17526 bytes][Goodput ratio: 84.5/68.6][2.00 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 16.9/9.2 950/156 93.0/23.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 426.1/211.2 1506/1506 458.2/363.6][TLSv1.2][Client: zoomfrn99mmr.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 3 TCP 192.168.1.117:54866 <-> 52.202.62.236:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/3097 bytes <-> 17 pkts/18622 bytes][Goodput ratio: 71.3/94.9][0.61 sec][bytes ratio: -0.715 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32.5/27.5 114/143 46.8/50.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 193.6/1095.4 864/1506 265.3/617.8][TLSv1.2][Client: www3.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 4 TCP 192.168.1.117:54865 <-> 52.202.62.196:443 [proto: 91.189/TLS.Zoom][cat: Video/26][15 pkts/2448 bytes <-> 15 pkts/16505 bytes][Goodput ratio: 65.9/94.9][0.50 sec][bytes ratio: -0.742 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/21.7 112/136 46.2/45.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 163.2/1100.3 687/1506 200.1/622.5][TLSv1.2][Client: zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 5 TCP 192.168.1.117:54868 <-> 213.19.144.104:443 [proto: 91.189/TLS.Zoom][cat: Video/26][17 pkts/2534 bytes <-> 13 pkts/7180 bytes][Goodput ratio: 56.2/88.0][0.41 sec][bytes ratio: -0.478 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/41.1 87/168 27.5/61.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149.1/552.3 642/1506 174.8/611.7][TLSv1.2][Client: zoomam104zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 6 TCP 192.168.1.117:54869 <-> 213.244.140.85:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2480 bytes <-> 13 pkts/7182 bytes][Goodput ratio: 57.4/88.0][0.39 sec][bytes ratio: -0.487 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.3/40.9 202/224 51.8/71.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 155.0/552.5 642/1506 178.5/611.7][TLSv1.2][Client: zoomfr85zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 7 TCP 192.168.1.117:54867 <-> 213.19.144.105:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/2468 bytes <-> 13 pkts/7188 bytes][Goodput ratio: 57.7/88.0][0.42 sec][bytes ratio: -0.489 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30.2/42.6 147/178 40.5/63.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154.2/552.9 642/1506 178.9/611.6][TLSv1.2][Client: zoomam105zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 8 TCP 192.168.1.117:54870 <-> 213.244.140.84:443 [proto: 91.189/TLS.Zoom][cat: Video/26][16 pkts/1832 bytes <-> 12 pkts/6702 bytes][Goodput ratio: 44.3/88.1][0.38 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.9/40.2 187/280 49.0/91.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 114.5/558.5 583/1506 129.0/636.0][TLSv1.2][Client: zoomfr84zc.zoom.us][JA3C: c51de225944b7d58d48c0f99f86ba8e6][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] + 9 TCP 192.168.1.117:54864 <-> 52.202.62.238:443 [proto: 91.189/TLS.Zoom][cat: Video/26][10 pkts/2030 bytes <-> 8 pkts/6283 bytes][Goodput ratio: 72.2/92.8][0.47 sec][bytes ratio: -0.512 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 58.5/40.3 110/131 49.6/57.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 203.0/785.4 812/1506 256.3/675.1][TLSv1.2][Client: log.zoom.us][JA3C: 535aca3d99fc247509cd50933cd71d37][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 10 TCP 192.168.1.117:53872 <-> 35.186.224.53:443 [proto: 91.126/TLS.Google][cat: Web/5][8 pkts/2017 bytes <-> 8 pkts/4822 bytes][Goodput ratio: 73.8/89.0][0.07 sec][bytes ratio: -0.410 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9.7/9.5 58/45 21.6/16.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 252.1/602.8 1434/1484 447.5/585.4] 11 TCP 192.168.1.117:54863 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/2198 bytes <-> 10 pkts/2067 bytes][Goodput ratio: 69.4/67.6][5.26 sec][bytes ratio: 0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 644.8/739.7 5003/5003 1647.5/1740.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 219.8/206.7 932/1292 283.1/364.2][TLSv1.2][Client: dati.ntop.org][JA3C: a795593605a13211941d44505b4d1e39][JA3S: dd4b012f7a008e741554bd0a4ed12920][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 12 TCP 192.168.1.117:54854 -> 172.217.21.72:443 [proto: 91.126/TLS.Google][cat: Web/5][4 pkts/1060 bytes -> 0 pkts/0 bytes][Goodput ratio: 75.0/0.0][6.46 sec][TLSv1][Client: www.googletagmanager.com][JA3C: d78489b860c8bf7838a6ff0b4d131541] |