aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--example/ndpiReader.c6
-rw-r--r--example/ndpiSimpleIntegration.c2
-rw-r--r--src/include/ndpi_api.h.in4
-rw-r--r--src/include/ndpi_typedefs.h11
-rw-r--r--src/lib/ndpi_content_match.c.inc11
-rw-r--r--src/lib/ndpi_main.c225
-rw-r--r--src/lib/protocols/tls.c50
-rw-r--r--tests/dga/dga_evaluate.c2
-rw-r--r--tests/pcap/anydesk-2.pcapbin0 -> 2232732 bytes
-rw-r--r--tests/result/KakaoTalk_talk.pcap.out7
-rw-r--r--tests/result/anydesk-2.pcap.out12
-rw-r--r--tests/result/simple-dnscrypt.pcap.out10
-rw-r--r--tests/result/skype.pcap.out6
-rw-r--r--tests/result/skype_no_unknown.pcap.out6
14 files changed, 211 insertions, 141 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 591480ff3..729d04d52 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -273,7 +273,7 @@ void ndpiCheckHostStringMatch(char *testChar) {
return;
ndpi_str = ndpi_init_detection_module(ndpi_no_prefs);
- ndpi_finalize_initalization(ndpi_str);
+ ndpi_finalize_initialization(ndpi_str);
// Display ALL Host strings ie host_match[] ?
// void ac_automata_display (AC_AUTOMATA_t * thiz, char repcast);
@@ -2060,7 +2060,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
if(_riskyDomainFilePath)
ndpi_load_risk_domain_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _riskyDomainFilePath);
- ndpi_finalize_initalization(ndpi_thread_info[thread_id].workflow->ndpi_struct);
+ ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct);
if(enable_doh_dot_detection)
ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1);
@@ -3505,7 +3505,7 @@ static void dgaUnitTest() {
NDPI_BITMASK_SET_ALL(all);
ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
- ndpi_finalize_initalization(ndpi_str);
+ ndpi_finalize_initialization(ndpi_str);
assert(ndpi_str != NULL);
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index 5f0b6d87d..70423afbc 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -166,7 +166,7 @@ static struct nDPI_workflow * init_workflow(char const * const file_or_device)
NDPI_PROTOCOL_BITMASK protos;
NDPI_BITMASK_SET_ALL(protos);
ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &protos);
- ndpi_finalize_initalization(workflow->ndpi_struct);
+ ndpi_finalize_initialization(workflow->ndpi_struct);
return workflow;
}
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 8163c0553..65d06fafc 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -180,7 +180,7 @@ extern "C" {
* Returns a new initialized detection module
* Note that before you can use it you can still load
* hosts and do other things. As soon as you are ready to use
- * it do not forget to call first ndpi_finalize_initalization()
+ * it do not forget to call first ndpi_finalize_initialization()
*
* You can call this function multiple times, (i.e. to create multiple
* indipendent detection contexts) but all these calls MUST NOT run
@@ -198,7 +198,7 @@ extern "C" {
* @par ndpi_str = the struct created for the protocol detection
*
*/
- void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str);
+ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str);
/**
* Frees the dynamic memory allocated members in the specified flow
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 678d55f52..dce9c34d8 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1099,8 +1099,8 @@ struct ndpi_detection_module_struct {
content_automa, /* Used for HTTP subprotocol_detection */
subprotocol_automa, /* Used for HTTP subprotocol_detection */
bigrams_automa, impossible_bigrams_automa, /* TOR */
- risky_domain_automa;
- /* IMPORTANT: please update ndpi_finalize_initalization() whenever you add a new automa */
+ risky_domain_automa, tls_cert_subject_automa;
+ /* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */
struct {
ndpi_automa hostnames, hostnames_shadow;
@@ -1422,7 +1422,7 @@ struct ndpi_flow_struct {
typedef struct {
char *string_to_match, *proto_name;
- int protocol_id;
+ u_int16_t protocol_id;
ndpi_protocol_category_t protocol_category;
ndpi_protocol_breed_t protocol_breed;
} ndpi_protocol_match;
@@ -1433,6 +1433,11 @@ typedef struct {
} ndpi_category_match;
typedef struct {
+ char *string_to_match;
+ u_int16_t protocol_id;
+} ndpi_tls_cert_name_match;
+
+typedef struct {
u_int32_t network;
u_int8_t cidr;
u_int8_t value;
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 1f96baacb..d75e2914d 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -9118,6 +9118,17 @@ static ndpi_protocol_match host_match[] =
{ NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE }
};
+/* ******************************************************************** */
+
+static ndpi_tls_cert_name_match tls_certificate_match [] = {
+ { "CN=AnyDesk Client", NDPI_PROTOCOL_ANYDESK },
+ { "O=Kakao", NDPI_PROTOCOL_KAKAOTALK },
+ { "O=ntop.org", NDPI_PROTOCOL_NTOP },
+ { "CN=simplednscrypt.org", NDPI_PROTOCOL_DNSCRYPT },
+ { "CN=*.gateway.messenger.live.com", NDPI_PROTOCOL_SKYPE },
+
+ { NULL, 0 }
+};
/* ******************************************************************** */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index e00852aa5..ad6745d8f 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -205,7 +205,7 @@ char *ndpi_get_proto_by_id(struct ndpi_detection_module_struct *ndpi_str, u_int
u_int16_t ndpi_get_proto_by_name(struct ndpi_detection_module_struct *ndpi_str, const char *name) {
u_int16_t i, num = ndpi_get_num_supported_protocols(ndpi_str);
- for (i = 0; i < num; i++)
+ for(i = 0; i < num; i++)
if(strcasecmp(ndpi_get_proto_by_id(ndpi_str, i), name) == 0)
return(i);
@@ -350,7 +350,7 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_str, ndpi
memcpy(&ndpi_str->proto_defaults[protoId].master_tcp_protoId, tcp_master_protoId, 2 * sizeof(u_int16_t));
memcpy(&ndpi_str->proto_defaults[protoId].master_udp_protoId, udp_master_protoId, 2 * sizeof(u_int16_t));
- for (j = 0; j < MAX_DEFAULT_PORTS; j++) {
+ for(j = 0; j < MAX_DEFAULT_PORTS; j++) {
if(udpDefPorts[j].port_low != 0)
addDefaultPort(ndpi_str, &udpDefPorts[j], &ndpi_str->proto_defaults[protoId], 0, &ndpi_str->udpRoot,
__FUNCTION__, __LINE__);
@@ -397,7 +397,7 @@ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, ndpi_p
const char *_func, int _line) {
u_int16_t port;
- for (port = range->port_low; port <= range->port_high; port++) {
+ for(port = range->port_low; port <= range->port_high; port++) {
ndpi_default_ports_tree_node_t *node =
(ndpi_default_ports_tree_node_t *) ndpi_malloc(sizeof(ndpi_default_ports_tree_node_t));
ndpi_default_ports_tree_node_t *ret;
@@ -432,7 +432,7 @@ static int removeDefaultPort(ndpi_port_range *range, ndpi_proto_defaults_t *def,
ndpi_default_ports_tree_node_t node;
u_int16_t port;
- for (port = range->port_low; port <= range->port_high; port++) {
+ for(port = range->port_low; port <= range->port_high; port++) {
ndpi_default_ports_tree_node_t *ret;
node.proto = def, node.default_port = port;
@@ -475,14 +475,16 @@ static u_int8_t ndpi_is_middle_string_char(char c) {
/* ****************************************************** */
-static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_str, ndpi_automa *automa, char *value,
- u_int16_t protocol_id, ndpi_protocol_category_t category, ndpi_protocol_breed_t breed,
+static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_str,
+ ndpi_automa *automa, char *value,
+ u_int16_t protocol_id, ndpi_protocol_category_t category,
+ ndpi_protocol_breed_t breed,
u_int8_t free_str_on_duplicate, u_int8_t add_ends_with) {
AC_PATTERN_t ac_pattern;
AC_ERROR_t rc;
char buf[96];
u_int len, dot;
-
+
if(protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS)) {
NDPI_LOG_ERR(ndpi_str, "[NDPI] protoId=%d: INTERNAL ERROR\n", protocol_id);
return(-1);
@@ -494,20 +496,23 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_str,
len = strlen(value);
dot = len -1;
+ memset(&ac_pattern, 0, sizeof(ac_pattern));
+
if((!add_ends_with) || ndpi_is_middle_string_char(value[dot])) {
ac_pattern.length = len;
ac_pattern.astring = value;
} else {
u_int mlen = sizeof(buf)-2;
-
+
len = ndpi_min(len, mlen);
ac_pattern.length = snprintf(buf, mlen, "%s$", value);
free(value);
value = ndpi_strdup(buf);
ac_pattern.astring = value;
}
-
- ac_pattern.rep.number = protocol_id, ac_pattern.rep.category = (u_int16_t) category, ac_pattern.rep.breed = (u_int16_t) breed;
+
+ ac_pattern.rep.number = protocol_id, ac_pattern.rep.category = (u_int16_t) category,
+ ac_pattern.rep.breed = (u_int16_t) breed;
#ifdef MATCH_DEBUG
printf("Adding to automa [%s][protocol_id: %u][category: %u][breed: %u]\n",
@@ -515,9 +520,10 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_str,
#endif
rc = ac_automata_add(((AC_AUTOMATA_t *) automa->ac_automa), &ac_pattern);
+
if((rc != ACERR_DUPLICATE_PATTERN) && (rc != ACERR_SUCCESS))
return(-2);
-
+
if((rc == ACERR_DUPLICATE_PATTERN) && free_str_on_duplicate)
ndpi_free(value);
@@ -563,7 +569,8 @@ static int ndpi_remove_host_url_subprotocol(struct ndpi_detection_module_struct
/* ******************************************************************** */
-void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_str, ndpi_protocol_match *match) {
+void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_str,
+ ndpi_protocol_match *match) {
u_int16_t no_master[2] = {NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO};
ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
@@ -589,12 +596,12 @@ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_str, ndp
/* ******************************************************************** */
-/* Self check function to be called onli for testing purposes */
+/* Self check function to be called only for testing purposes */
void ndpi_self_check_host_match() {
u_int32_t i, j;
- for (i = 0; host_match[i].string_to_match != NULL; i++) {
- for (j = 0; host_match[j].string_to_match != NULL; j++) {
+ for(i = 0; host_match[i].string_to_match != NULL; i++) {
+ for(j = 0; host_match[j].string_to_match != NULL; j++) {
if((i != j) && (strcmp(host_match[i].string_to_match, host_match[j].string_to_match) == 0)) {
printf("[INTERNAL ERROR]: Duplicate string detected '%s' [id: %u, id %u]\n",
host_match[i].string_to_match, i, j);
@@ -610,19 +617,35 @@ void ndpi_self_check_host_match() {
static void init_string_based_protocols(struct ndpi_detection_module_struct *ndpi_str) {
int i;
- for (i = 0; host_match[i].string_to_match != NULL; i++)
+ for(i = 0; host_match[i].string_to_match != NULL; i++)
ndpi_init_protocol_match(ndpi_str, &host_match[i]);
+ /* ************************ */
+
+ for(i = 0; tls_certificate_match[i].string_to_match != NULL; i++) {
+#if 0
+ printf("%s() %s / %u\n", __FUNCTION__,
+ tls_certificate_match[i].string_to_match,
+ tls_certificate_match[i].protocol_id);
+#endif
+
+ ndpi_add_string_value_to_automa(ndpi_str->tls_cert_subject_automa.ac_automa,
+ tls_certificate_match[i].string_to_match,
+ tls_certificate_match[i].protocol_id);
+ }
+
+ /* ************************ */
+
ndpi_enable_loaded_categories(ndpi_str);
#ifdef MATCH_DEBUG
// ac_automata_display(ndpi_str->host_automa.ac_automa, 'n');
#endif
- for (i = 0; ndpi_en_bigrams[i] != NULL; i++)
+ for(i = 0; ndpi_en_bigrams[i] != NULL; i++)
ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_bigrams[i], 1, 1, 1, 0, 0);
- for (i = 0; ndpi_en_impossible_bigrams[i] != NULL; i++)
+ for(i = 0; ndpi_en_impossible_bigrams[i] != NULL; i++)
ndpi_string_to_automa(ndpi_str, &ndpi_str->impossible_bigrams_automa, (char *) ndpi_en_impossible_bigrams[i], 1,
1, 1, 0, 0);
}
@@ -657,7 +680,7 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str
static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_struct *ndpi_str) {
int i;
- for (i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) {
+ for(i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) {
if(ndpi_str->proto_defaults[i].protoName == NULL) {
NDPI_LOG_ERR(ndpi_str,
"[NDPI] INTERNAL ERROR missing protoName initialization for [protoId=%d]: recovering\n", i);
@@ -1578,7 +1601,8 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) {
#ifdef MATCH_DEBUG
printf("Searching [to search: %s/%u][pattern: %s/%u] [len: %d][match_num: %u][%s]\n", buf,
- (unigned int) txt->length, m->patterns->astring, (unigned int) m->patterns->length, min_len, m->match_num,
+ (unsigned int) txt->length, m->patterns->astring,
+ (unsigned int) m->patterns->length, min_len, m->match_num,
m->patterns->astring);
#endif
@@ -1785,7 +1809,7 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str,
return(-1);
}
- while (1) {
+ while(1) {
line = fgets(buffer, sizeof(buffer), fd);
if(line == NULL)
@@ -1824,7 +1848,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str,
u_int8_t skip_tor_hosts) {
int i;
- for (i = 0; host_list[i].network != 0x0; i++) {
+ for(i = 0; host_list[i].network != 0x0; i++) {
struct in_addr pin;
patricia_node_t *node;
@@ -2117,8 +2141,9 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
ndpi_str->content_automa.ac_automa = ac_automata_init(ac_match_handler);
ndpi_str->bigrams_automa.ac_automa = ac_automata_init(ac_match_handler);
ndpi_str->impossible_bigrams_automa.ac_automa = ac_automata_init(ac_match_handler);
+ ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(ac_match_handler);
ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */
-
+
if((sizeof(categories) / sizeof(char *)) != NDPI_PROTOCOL_NUM_CATEGORIES) {
NDPI_LOG_ERR(ndpi_str, "[NDPI] invalid categories length: expected %u, got %u\n", NDPI_PROTOCOL_NUM_CATEGORIES,
(unsigned int) (sizeof(categories) / sizeof(char *)));
@@ -2138,7 +2163,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
ndpi_init_protocol_defaults(ndpi_str);
- for (i = 0; i < NUM_CUSTOM_CATEGORIES; i++)
+ for(i = 0; i < NUM_CUSTOM_CATEGORIES; i++)
snprintf(ndpi_str->custom_category_labels[i], CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u",
(unsigned int) (i + 1));
@@ -2147,10 +2172,10 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
/* *********************************************** */
-void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str) {
+void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) {
u_int i;
- for (i = 0; i < 5; i++) {
+ for(i = 0; i < 99; i++) {
ndpi_automa *automa;
switch(i) {
@@ -2174,9 +2199,12 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str)
automa = &ndpi_str->risky_domain_automa;
break;
- default:
- automa = NULL;
+ case 5:
+ automa = &ndpi_str->tls_cert_subject_automa;
break;
+
+ default:
+ return;
}
if(automa && automa->ac_automa) {
@@ -2392,7 +2420,7 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
if(ndpi_str != NULL) {
int i;
- for (i = 0; i < (NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS); i++) {
+ for(i = 0; i < (NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS); i++) {
if(ndpi_str->proto_defaults[i].protoName)
ndpi_free(ndpi_str->proto_defaults[i].protoName);
}
@@ -2433,7 +2461,10 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
if(ndpi_str->risky_domain_automa.ac_automa != NULL)
ac_automata_release((AC_AUTOMATA_t *) ndpi_str->risky_domain_automa.ac_automa, 0);
-
+
+ if(ndpi_str->tls_cert_subject_automa.ac_automa != NULL)
+ ac_automata_release((AC_AUTOMATA_t *) ndpi_str->tls_cert_subject_automa.ac_automa, 0);
+
if(ndpi_str->custom_categories.hostnames.ac_automa != NULL)
ac_automata_release((AC_AUTOMATA_t *) ndpi_str->custom_categories.hostnames.ac_automa,
1 /* free patterns strings memory */);
@@ -2453,7 +2484,7 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
#endif
ndpi_free_geeoip(ndpi_str);
-
+
ndpi_free(ndpi_str);
}
}
@@ -2651,7 +2682,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule,
} else
at[0] = 0, proto = &at[1];
- for (i = 0; proto[i] != '\0'; i++) {
+ for(i = 0; proto[i] != '\0'; i++) {
switch(proto[i]) {
case '/':
case '&':
@@ -2666,7 +2697,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule,
}
}
- for (i = 0, def = NULL; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) {
+ for(i = 0, def = NULL; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) {
if(ndpi_str->proto_defaults[i].protoName
&& strcasecmp(ndpi_str->proto_defaults[i].protoName, proto) == 0) {
def = &ndpi_str->proto_defaults[i];
@@ -2702,7 +2733,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule,
}
}
- while ((elem = strsep(&rule, ",")) != NULL) {
+ while((elem = strsep(&rule, ",")) != NULL) {
char *attr = elem, *value = NULL;
ndpi_port_range range;
int is_tcp = 0, is_udp = 0, is_ip = 0;
@@ -2779,7 +2810,7 @@ int ndpi_load_categories_file(struct ndpi_detection_module_struct *ndpi_str, con
return(-1);
}
- while (1) {
+ while(1) {
line = fgets(buffer, sizeof(buffer), fd);
if(line == NULL)
@@ -2821,9 +2852,9 @@ static int ndpi_load_risky_domain(struct ndpi_detection_module_struct *ndpi_str,
if(ndpi_str->risky_domain_automa.ac_automa) {
char buf[64];
u_int i, len;
-
+
snprintf(buf, sizeof(buf)-1, "%s$", domain_name);
- for (i = 0, len = strlen(buf)-1 /* Skip $ */; i < len; i++) buf[i] = tolower(buf[i]);
+ for(i = 0, len = strlen(buf)-1 /* Skip $ */; i < len; i++) buf[i] = tolower(buf[i]);
return(ndpi_add_string_to_automa(ndpi_str->risky_domain_automa.ac_automa, buf));
}
@@ -2865,7 +2896,7 @@ int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, co
continue;
line[len - 1] = '\0';
-
+
if(ndpi_load_risky_domain(ndpi_str, line) >= 0)
num++;
}
@@ -2874,7 +2905,7 @@ int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, co
if(ndpi_str->risky_domain_automa.ac_automa)
ac_automata_finalize((AC_AUTOMATA_t *)ndpi_str->risky_domain_automa.ac_automa);
-
+
return(num);
}
@@ -2915,11 +2946,11 @@ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_str, cons
goto close_fd;
}
- while (1) {
+ while(1) {
char *line = buffer;
int line_len = buffer_len;
- while ((line = fgets(line, line_len, fd)) != NULL && line[strlen(line) - 1] != '\n') {
+ while((line = fgets(line, line_len, fd)) != NULL && line[strlen(line) - 1] != '\n') {
i = strlen(line);
old_buffer = buffer;
old_buffer_len = buffer_len;
@@ -3512,7 +3543,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* now build the specific buffer for tcp, udp and non_tcp_udp */
ndpi_str->callback_buffer_size_tcp_payload = 0;
ndpi_str->callback_buffer_size_tcp_no_payload = 0;
- for (a = 0; a < ndpi_str->callback_buffer_size; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size; a++) {
if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask &
(NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP |
NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) {
@@ -3539,7 +3570,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
}
ndpi_str->callback_buffer_size_udp = 0;
- for (a = 0; a < ndpi_str->callback_buffer_size; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size; a++) {
if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask &
(NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP |
NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) {
@@ -3554,7 +3585,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
}
ndpi_str->callback_buffer_size_non_tcp_udp = 0;
- for (a = 0; a < ndpi_str->callback_buffer_size; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size; a++) {
if((ndpi_str->callback_buffer[a].ndpi_selection_bitmask &
(NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP |
NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP)) == 0 ||
@@ -3584,7 +3615,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
*/
int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struct *ndpi_str, const u_int8_t **l4ptr,
u_int16_t *l4len, u_int8_t *nxt_hdr) {
- while ((*nxt_hdr == 0 || *nxt_hdr == 43 || *nxt_hdr == 44 || *nxt_hdr == 60 || *nxt_hdr == 135 || *nxt_hdr == 59)) {
+ while((*nxt_hdr == 0 || *nxt_hdr == 43 || *nxt_hdr == 44 || *nxt_hdr == 60 || *nxt_hdr == 135 || *nxt_hdr == 59)) {
u_int16_t ehdr_len;
// no next header
@@ -3796,49 +3827,49 @@ void ndpi_apply_flow_protocol_to_packet(struct ndpi_flow_struct *flow, struct nd
/* ****************************************************** */
void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
- if (flow) {
- if (flow->http.url)
+ if(flow) {
+ if(flow->http.url)
ndpi_free(flow->http.url);
- if (flow->http.content_type)
+ if(flow->http.content_type)
ndpi_free(flow->http.content_type);
- if (flow->http.request_content_type)
+ if(flow->http.request_content_type)
ndpi_free(flow->http.request_content_type);
- if (flow->http.user_agent)
+ if(flow->http.user_agent)
ndpi_free(flow->http.user_agent);
- if (flow->kerberos_buf.pktbuf)
+ if(flow->kerberos_buf.pktbuf)
ndpi_free(flow->kerberos_buf.pktbuf);
- if (flow_is_proto(flow, NDPI_PROTOCOL_QUIC) ||
+ if(flow_is_proto(flow, NDPI_PROTOCOL_QUIC) ||
flow_is_proto(flow, NDPI_PROTOCOL_TLS) ||
flow_is_proto(flow, NDPI_PROTOCOL_DTLS) ||
flow_is_proto(flow, NDPI_PROTOCOL_MAIL_SMTPS) ||
flow_is_proto(flow, NDPI_PROTOCOL_MAIL_POPS) ||
flow_is_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS)) {
- if (flow->protos.tls_quic_stun.tls_quic.server_names)
+ if(flow->protos.tls_quic_stun.tls_quic.server_names)
ndpi_free(flow->protos.tls_quic_stun.tls_quic.server_names);
- if (flow->protos.tls_quic_stun.tls_quic.alpn)
+ if(flow->protos.tls_quic_stun.tls_quic.alpn)
ndpi_free(flow->protos.tls_quic_stun.tls_quic.alpn);
- if (flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
+ if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
ndpi_free(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
- if (flow->protos.tls_quic_stun.tls_quic.issuerDN)
+ if(flow->protos.tls_quic_stun.tls_quic.issuerDN)
ndpi_free(flow->protos.tls_quic_stun.tls_quic.issuerDN);
- if (flow->protos.tls_quic_stun.tls_quic.subjectDN)
+ if(flow->protos.tls_quic_stun.tls_quic.subjectDN)
ndpi_free(flow->protos.tls_quic_stun.tls_quic.subjectDN);
- if (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni)
+ if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni)
ndpi_free(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni);
}
- if (flow->l4_proto == IPPROTO_TCP) {
- if (flow->l4.tcp.tls.message.buffer)
+ if(flow->l4_proto == IPPROTO_TCP) {
+ if(flow->l4.tcp.tls.message.buffer)
ndpi_free(flow->l4.tcp.tls.message.buffer);
#ifdef FRAG_MAN
free_fragment(&flow->tcp_segments_list[0]);
@@ -3946,7 +3977,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
#ifdef FRAG_MAN
/* initialize the buffer to manage segments for a new http/dns connection */
flow->tcp_segments_management=1;
- for (int i=0; i<2; i++ ) {
+ for(int i=0; i<2; i++ ) {
// reset counter tcp segments management lists
flow->tcp_segments_list[i].ct_frag=0;
}
@@ -4150,7 +4181,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func, num_calls++;
}
- for (a = 0; a < ndpi_str->callback_buffer_size_non_tcp_udp; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size_non_tcp_udp; a++) {
if((func != ndpi_str->callback_buffer_non_tcp_udp[a].func) &&
(ndpi_str->callback_buffer_non_tcp_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) ==
ndpi_str->callback_buffer_non_tcp_udp[a].ndpi_selection_bitmask &&
@@ -4194,7 +4225,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
}
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
- for (a = 0; a < ndpi_str->callback_buffer_size_udp; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) {
if((func != ndpi_str->callback_buffer_udp[a].func) &&
(ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) ==
ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask &&
@@ -4253,7 +4284,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
}
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
- for (a = 0; a < ndpi_str->callback_buffer_size_tcp_payload; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size_tcp_payload; a++) {
if((func != ndpi_str->callback_buffer_tcp_payload[a].func) &&
(ndpi_str->callback_buffer_tcp_payload[a].ndpi_selection_bitmask & *ndpi_selection_packet) ==
ndpi_str->callback_buffer_tcp_payload[a].ndpi_selection_bitmask &&
@@ -4286,7 +4317,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func, num_calls++;
}
- for (a = 0; a < ndpi_str->callback_buffer_size_tcp_no_payload; a++) {
+ for(a = 0; a < ndpi_str->callback_buffer_size_tcp_no_payload; a++) {
if((func != ndpi_str->callback_buffer_tcp_payload[a].func) &&
(ndpi_str->callback_buffer_tcp_no_payload[a].ndpi_selection_bitmask & *ndpi_selection_packet) ==
ndpi_str->callback_buffer_tcp_no_payload[a].ndpi_selection_bitmask &&
@@ -4571,7 +4602,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
u_int len;
AC_PATTERN_t ac_pattern;
AC_ERROR_t rc;
-
+
if(name_to_add == NULL)
return(-1);
else
@@ -4632,7 +4663,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
int i;
/* First add the nDPI known categories matches */
- for (i = 0; category_match[i].string_to_match != NULL; i++)
+ for(i = 0; category_match[i].string_to_match != NULL; i++)
ndpi_load_category(ndpi_str, category_match[i].string_to_match, category_match[i].protocol_category);
/* Free */
@@ -4951,7 +4982,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
/* This is a custom protocol and it has priority over everything else */
ret->master_protocol = flow->guessed_protocol_id, ret->app_protocol = flow->guessed_host_protocol_id;
- //num_calls =
+ //num_calls =
ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
//if(ndpi_str->ndpi_num_custom_protocols != 0)
@@ -5067,7 +5098,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
if(a != NDPI_PROTOCOL_UNKNOWN) {
int i;
- for (i = 0; i < sizeof(flow->host_server_name); i++) {
+ for(i = 0; i < sizeof(flow->host_server_name); i++) {
if(flow->host_server_name[i] != '\0')
flow->host_server_name[i] = tolower(flow->host_server_name[i]);
else {
@@ -5204,7 +5235,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
val = 0;
// cancel if eof, ' ' or line end chars are reached
- while (*str >= '0' && *str <= '9' && max_chars_to_read > 0) {
+ while(*str >= '0' && *str <= '9' && max_chars_to_read > 0) {
val *= 10;
val += *str - '0';
str++;
@@ -5229,7 +5260,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
max_chars_to_read -= 2;
*bytes_read = *bytes_read + 2;
- while (max_chars_to_read > 0) {
+ while(max_chars_to_read > 0) {
if(*str >= '0' && *str <= '9') {
val *= 16;
val += *str - '0';
@@ -5259,7 +5290,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
u_int64_t val;
val = 0;
// cancel if eof, ' ' or line end chars are reached
- while (max_chars_to_read > 0 && *str >= '0' && *str <= '9') {
+ while(max_chars_to_read > 0 && *str >= '0' && *str <= '9') {
val *= 10;
val += *str - '0';
str++;
@@ -5282,7 +5313,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
str += 2;
max_chars_to_read -= 2;
*bytes_read = *bytes_read + 2;
- while (max_chars_to_read > 0) {
+ while(max_chars_to_read > 0) {
if(*str >= '0' && *str <= '9') {
val *= 16;
val += *str - '0';
@@ -5364,7 +5395,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
packet->line[packet->parsed_lines].ptr = packet->payload;
packet->line[packet->parsed_lines].len = 0;
- for (a = 0; ((a+1) < packet->payload_packet_len) && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) {
+ for(a = 0; ((a+1) < packet->payload_packet_len) && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) {
if((packet->payload[a] == 0x0d) && (packet->payload[a+1] == 0x0a)) {
/* If end of line char sequence CR+NL "\r\n", process line */
@@ -5460,7 +5491,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[14];
packet->content_line.len = packet->line[packet->parsed_lines].len - 14;
- while ((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' '))
+ while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' '))
packet->content_line.len--, packet->content_line.ptr++;
packet->http_num_headers++;
@@ -5478,7 +5509,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
char separator[] = {';', '\r', '\0'};
int i;
- for (i = 0; separator[i] != '\0'; i++) {
+ for(i = 0; separator[i] != '\0'; i++) {
char *c = memchr((char *) packet->content_line.ptr, separator[i], packet->content_line.len);
if(c != NULL)
@@ -5632,7 +5663,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
packet->line[packet->parsed_lines].ptr = packet->payload;
packet->line[packet->parsed_lines].len = 0;
- for (a = 0; a < end; a++) {
+ for(a = 0; a < end; a++) {
if(packet->payload[a] == 0x0a) {
packet->line[packet->parsed_lines].len = (u_int16_t)(
((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr));
@@ -5669,7 +5700,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
packet->payload[counter] == '-' || packet->payload[counter] == '_')) {
NDPI_LOG_DBG2(ndpi_str, "first letter\n");
counter++;
- while (packet->payload_packet_len > counter &&
+ while(packet->payload_packet_len > counter &&
((packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') ||
(packet->payload[counter] >= 'A' && packet->payload[counter] <= 'Z') ||
(packet->payload[counter] >= '0' && packet->payload[counter] <= '9') ||
@@ -5680,7 +5711,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
if(packet->payload_packet_len > counter && packet->payload[counter] == '@') {
NDPI_LOG_DBG2(ndpi_str, "@\n");
counter++;
- while (packet->payload_packet_len > counter &&
+ while(packet->payload_packet_len > counter &&
((packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') ||
(packet->payload[counter] >= 'A' && packet->payload[counter] <= 'Z') ||
(packet->payload[counter] >= '0' && packet->payload[counter] <= '9') ||
@@ -5860,7 +5891,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
void ndpi_int_reset_packet_protocol(struct ndpi_packet_struct *packet) {
int a;
- for (a = 0; a < NDPI_PROTOCOL_SIZE; a++)
+ for(a = 0; a < NDPI_PROTOCOL_SIZE; a++)
packet->detected_protocol_stack[a] = NDPI_PROTOCOL_UNKNOWN;
}
@@ -5870,7 +5901,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
if(flow) {
int a;
- for (a = 0; a < NDPI_PROTOCOL_SIZE; a++)
+ for(a = 0; a < NDPI_PROTOCOL_SIZE; a++)
flow->detected_protocol_stack[a] = NDPI_PROTOCOL_UNKNOWN;
}
}
@@ -6290,7 +6321,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
int ndpi_get_protocol_id(struct ndpi_detection_module_struct *ndpi_str, char *proto) {
int i;
- for (i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++)
+ for(i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++)
if(strcasecmp(proto, ndpi_str->proto_defaults[i].protoName) == 0)
return(i);
@@ -6302,7 +6333,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
int ndpi_get_category_id(struct ndpi_detection_module_struct *ndpi_str, char *cat) {
int i;
- for (i = 0; i < NDPI_PROTOCOL_NUM_CATEGORIES; i++) {
+ for(i = 0; i < NDPI_PROTOCOL_NUM_CATEGORIES; i++) {
const char *name = ndpi_category_get_name(ndpi_str, i);
if(strcasecmp(cat, name) == 0)
@@ -6317,7 +6348,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
void ndpi_dump_protocols(struct ndpi_detection_module_struct *ndpi_str) {
int i;
- for (i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++)
+ for(i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++)
printf("%3d %-22s %-8s %-12s %s\n", i, ndpi_str->proto_defaults[i].protoName,
ndpi_get_l4_proto_name(ndpi_get_l4_proto_info(ndpi_str, i)),
ndpi_get_proto_breed_name(ndpi_str, ndpi_str->proto_defaults[i].protoBreed),
@@ -6342,10 +6373,10 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
do {
if(slen-- < 1 || (sc = *s++) == '\0')
return(NULL);
- } while (sc != c);
+ } while(sc != c);
if(len > slen)
return(NULL);
- } while (strncmp(s, find, len) != 0);
+ } while(strncmp(s, find, len) != 0);
s--;
}
@@ -6397,7 +6428,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
return(NDPI_PROTOCOL_UNKNOWN);
if(!automa->ac_automa_finalized) {
- printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initalization()\n", __FILE__, __LINE__);
+ printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initialization()\n", __FILE__, __LINE__);
return(0); /* No matches */
}
@@ -6499,11 +6530,11 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
ndpi_protocol_category_t id;
char buf[96];
- buf_len = ndpi_min(string_to_match_len, sizeof(buf)-2);
+ buf_len = ndpi_min(string_to_match_len, sizeof(buf)-2);
for(i=0; i<buf_len; i++) buf[i] = tolower(string_to_match[i]);
buf[i++] = '$'; /* Add trailer $ */
buf[i] = '\0';
-
+
rc = ndpi_automa_match_string_subprotocol(ndpi_str, flow, buf, i,
master_protocol_id, ret_match, 1);
id = ret_match->protocol_category;
@@ -6517,11 +6548,11 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
if(ndpi_str->risky_domain_automa.ac_automa != NULL) {
u_int16_t rc1 = ndpi_match_string(ndpi_str->risky_domain_automa.ac_automa, buf);
-
+
if(rc1 > 0)
- NDPI_SET_BIT(flow->risk, NDPI_RISKY_DOMAIN);
+ NDPI_SET_BIT(flow->risk, NDPI_RISKY_DOMAIN);
}
-
+
return(rc);
}
@@ -6574,9 +6605,9 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
if(!automa->ac_automa_finalized) {
#if 1
- ndpi_finalize_initalization(ndpi_str);
+ ndpi_finalize_initialization(ndpi_str);
#else
- printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initalization()\n", __FILE__, __LINE__);
+ printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initialization()\n", __FILE__, __LINE__);
return(0); /* No matches */
#endif
}
@@ -6639,7 +6670,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
int NDPI_BITMASK_COMPARE(NDPI_PROTOCOL_BITMASK a, NDPI_PROTOCOL_BITMASK b) {
int i;
- for (i = 0; i < NDPI_NUM_FDS_BITS; i++) {
+ for(i = 0; i < NDPI_NUM_FDS_BITS; i++) {
if(a.fds_bits[i] & b.fds_bits[i])
return(1);
}
@@ -6651,7 +6682,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
int NDPI_BITMASK_IS_EMPTY(NDPI_PROTOCOL_BITMASK a) {
int i;
- for (i = 0; i < NDPI_NUM_FDS_BITS; i++)
+ for(i = 0; i < NDPI_NUM_FDS_BITS; i++)
if(a.fds_bits[i] != 0)
return(0);
@@ -6661,7 +6692,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
void NDPI_DUMP_BITMASK(NDPI_PROTOCOL_BITMASK a) {
int i;
- for (i = 0; i < NDPI_NUM_FDS_BITS; i++)
+ for(i = 0; i < NDPI_NUM_FDS_BITS; i++)
printf("[%d=%u]", i, a.fds_bits[i]);
printf("\n");
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index d9c5765d8..99f5f5649 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -3,9 +3,6 @@
*
* Copyright (C) 2016-21 - ntop.org
*
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
@@ -114,7 +111,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int avail_bytes;
-
+
/* TCP */
#ifdef DEBUG_TLS_MEMORY
printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n",
@@ -137,7 +134,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
}
avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used;
-
+
if(avail_bytes < packet->payload_packet_len) {
u_int new_len = flow->l4.tcp.tls.message.buffer_len + packet->payload_packet_len - avail_bytes + 1;
void *newbuf = ndpi_realloc(flow->l4.tcp.tls.message.buffer,
@@ -155,7 +152,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
if(packet->payload_packet_len > 0 && avail_bytes >= packet->payload_packet_len) {
u_int8_t ok = 0;
-
+
if(flow->l4.tcp.tls.message.next_seq[packet->packet_direction] != 0) {
if(ntohl(packet->tcp->seq) == flow->l4.tcp.tls.message.next_seq[packet->packet_direction])
ok = 1;
@@ -165,13 +162,13 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
if(ok) {
memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used],
packet->payload, packet->payload_packet_len);
-
+
flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len;
#ifdef DEBUG_TLS_MEMORY
printf("[TLS Mem] Copied data to buffer [%u/%u bytes][direction: %u][tcp_seq: %u][next: %u]\n",
flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len,
packet->packet_direction,
- ntohl(packet->tcp->seq),
+ ntohl(packet->tcp->seq),
ntohl(packet->tcp->seq)+packet->payload_packet_len);
#endif
@@ -181,9 +178,9 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
printf("[TLS Mem] Skipping packet [%u bytes][direction: %u][tcp_seq: %u][expected next: %u]\n",
flow->l4.tcp.tls.message.buffer_len,
packet->packet_direction,
- ntohl(packet->tcp->seq),
+ ntohl(packet->tcp->seq),
ntohl(packet->tcp->seq)+packet->payload_packet_len);
-#endif
+#endif
}
}
}
@@ -519,9 +516,21 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
}
- if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.subjectDN == NULL))
+ if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.subjectDN == NULL)) {
flow->protos.tls_quic_stun.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
+ if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
+ /* No idea what is happening behind the scenes: let's check the certificate */
+ u_int32_t proto_id;
+ int rc = ndpi_match_string_value(ndpi_struct->tls_cert_subject_automa.ac_automa,
+ rdnSeqBuf, strlen(rdnSeqBuf),&proto_id);
+
+ if(rc == 0)
+ flow->detected_protocol_stack[0] = proto_id,
+ flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
+ }
+ }
+
if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
&& (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
@@ -541,7 +550,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t certificates_offset = 7;
u_int8_t num_certificates_found = 0;
SHA1_CTX srv_cert_fingerprint_ctx ;
-
+
#ifdef DEBUG_TLS
printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n",
__FUNCTION__, packet->payload_packet_len,
@@ -687,9 +696,9 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
// ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
-
+
if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
- flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
+ flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
}
/* **************************************** */
@@ -784,19 +793,19 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
processTLSBlock(ndpi_struct, flow);
ndpi_looks_like_tls(ndpi_struct, flow);
-
+
processed += packet->payload_packet_len;
}
} else {
/* Process element as a whole */
if(content_type == 0x17 /* Application Data */) {
ndpi_looks_like_tls(ndpi_struct, flow);
-
- if(flow->l4.tcp.tls.certificate_processed) {
+
+ if(flow->l4.tcp.tls.certificate_processed) {
if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] =
(packet->packet_direction == 0) ? (len-5) : -(len-5);
-
+
#ifdef DEBUG_TLS_BLOCKS
printf("*** [TLS Block] [len: %u][num_tls_blocks: %u/%u]\n",
len-5, flow->l4.tcp.tls.num_tls_blocks, ndpi_struct->num_tls_blocks_to_follow);
@@ -868,7 +877,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
// handshake_type = packet->payload[13];
handshake_len = (packet->payload[14] << 16) + (packet->payload[15] << 8) + packet->payload[16];
-
+
if((handshake_len+25) != packet->payload_packet_len)
goto no_dtls;
@@ -907,7 +916,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
if((flow->packet.udp != NULL) && (protocol == NDPI_PROTOCOL_TLS))
protocol = NDPI_PROTOCOL_DTLS;
-
+
if((flow->detected_protocol_stack[0] == protocol)
|| (flow->detected_protocol_stack[1] == protocol)) {
if(!flow->check_extra_packets)
@@ -921,6 +930,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol);
+
tlsInitExtraPacketProcessing(ndpi_struct, flow);
}
diff --git a/tests/dga/dga_evaluate.c b/tests/dga/dga_evaluate.c
index 397ebbe7a..a2f792dae 100644
--- a/tests/dga/dga_evaluate.c
+++ b/tests/dga/dga_evaluate.c
@@ -62,7 +62,7 @@ int main(int argc, char **argv) {
assert(ndpi_str != NULL);
NDPI_BITMASK_SET_ALL(all);
ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
- ndpi_finalize_initalization(ndpi_str);
+ ndpi_finalize_initialization(ndpi_str);
assert(ndpi_str != NULL);
int num_detections = 0;
diff --git a/tests/pcap/anydesk-2.pcap b/tests/pcap/anydesk-2.pcap
new file mode 100644
index 000000000..20749115b
--- /dev/null
+++ b/tests/pcap/anydesk-2.pcap
Binary files differ
diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out
index e9e548111..e527923c0 100644
--- a/tests/result/KakaoTalk_talk.pcap.out
+++ b/tests/result/KakaoTalk_talk.pcap.out
@@ -1,11 +1,12 @@
HTTP 5 280 1
QQ 15 1727 1
RTP 2991 398751 2
-TLS 90 21844 3
+TLS 5 1198 1
Facebook 34 4401 4
Google 4 359 4
HTTP_Proxy 16 1838 2
Amazon 4 396 1
+KakaoTalk 85 20646 2
KakaoTalk_Voice 44 6196 2
JA3 Host Stats:
@@ -15,8 +16,8 @@ JA3 Host Stats:
1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][Goodput ratio: 69/65][45.42 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/48 202/340 49/48][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 140/126 234/236 43/33][PLAIN TEXT (46yOXQ)][Plen Bins: 0,60,19,16,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][Goodput ratio: 65/69][45.02 sec][bytes ratio: -0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/0 58/49 112/476 23/54][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 126/141 236/234 33/43][PLAIN TEXT (46yOXQ)][Plen Bins: 0,61,18,16,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 72/76][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358/3528 20472/21237 5098/5912][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242/290 878/920 254/276][Risk: ** Self-signed Certificate **** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,0,5,35,0,5,0,15,5,5,0,0,0,0,0,0,0,0,5,5,0,0,10,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64/73][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691/1317 6069/10226 1399/2632][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190/260 814/920 164/241][Risk: ** Self-signed Certificate **** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,0,4,48,0,4,0,17,4,4,0,0,0,4,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91.193/TLS.KakaoTalk][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 72/76][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358/3528 20472/21237 5098/5912][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242/290 878/920 254/276][Risk: ** Self-signed Certificate **** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,0,5,35,0,5,0,15,5,5,0,0,0,0,0,0,0,0,5,5,0,0,10,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91.193/TLS.KakaoTalk][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64/73][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691/1317 6069/10226 1399/2632][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190/260 814/920 164/241][Risk: ** Self-signed Certificate **** Obsolete TLS version (< 1.1) **** Weak TLS cipher **][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,0,4,48,0,4,0,17,4,4,0,0,0,4,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 71/27][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 141/117 494/295 163/92][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195/78 735/189 228/35][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 30,23,0,0,15,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 69/69][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4203/4247 4716/5160 1131/719][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141/142 150/142 6/0][Plen Bins: 0,0,4,95,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 69/69][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266/3766 4903/4991 1245/1144][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140/140 142/142 6/6][Plen Bins: 0,0,9,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/anydesk-2.pcap.out b/tests/result/anydesk-2.pcap.out
new file mode 100644
index 000000000..67e818f75
--- /dev/null
+++ b/tests/result/anydesk-2.pcap.out
@@ -0,0 +1,12 @@
+AnyDesk 2083 346113 4
+
+JA3 Host Stats:
+ IP Address # JA3C
+ 1 192.168.1.187 1
+ 2 192.168.1.178 1
+
+
+ 1 TCP 192.168.1.187:54164 <-> 192.168.1.178:7070 [proto: 91.252/TLS.AnyDesk][cat: Web/5][509 pkts/226247 bytes <-> 1555 pkts/115282 bytes][Goodput ratio: 88/22][22.84 sec][bytes ratio: 0.325 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/14 2966/3021 229/106][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 444/74 1511/1514 475/47][Risk: ** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][TLSv1.2][JA3C: 3f2fba0262b1a22b739126dfb2fe7a7d][JA3S: ee644a8a34c434abca4b737ec1d9efad][Subject: CN=AnyDesk Client, CN=AnyDesk Client][Certificate SHA-1: F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0][Cipher: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,64,6,1,3,1,1,1,0,1,1,0,0,1,1,0,3,0,0,0,0,0,3,1,0,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,1,0,0,1,0,1,0,0]
+ 2 TCP 192.168.1.178:52039 <-> 192.168.1.187:7070 [proto: 91.252/TLS.AnyDesk][cat: Web/5][8 pkts/2035 bytes <-> 7 pkts/2157 bytes][Goodput ratio: 76/82][0.56 sec][bytes ratio: -0.029 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 92/40 406/85 150/33][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 254/308 1340/968 419/387][Risk: ** Weak TLS cipher **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 4b505adfb4a921c5a3a39d293b0811e1 (WEAK)][Subject: CN=AnyDesk Client, CN=AnyDesk Client][Certificate SHA-1: 86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,20,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0]
+ 3 UDP 192.168.1.187:55376 <-> 192.168.1.1:53 [proto: 5.252/DNS.AnyDesk][cat: RemoteAccess/12][1 pkts/90 bytes <-> 1 pkts/106 bytes][Goodput ratio: 53/60][0.01 sec][Host: relay-9b6827f2.net.anydesk.com][138.199.36.115][PLAIN TEXT (anydesk)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 4 UDP 192.168.1.187:59511 <-> 192.168.1.1:53 [proto: 5.252/DNS.AnyDesk][cat: RemoteAccess/12][1 pkts/90 bytes <-> 1 pkts/106 bytes][Goodput ratio: 53/60][0.01 sec][Host: relay-3185a847.net.anydesk.com][37.61.223.15][PLAIN TEXT (anydesk)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/simple-dnscrypt.pcap.out b/tests/result/simple-dnscrypt.pcap.out
index 2954e261c..495322602 100644
--- a/tests/result/simple-dnscrypt.pcap.out
+++ b/tests/result/simple-dnscrypt.pcap.out
@@ -1,11 +1,11 @@
-TLS 111 44676 4
+DNScrypt 111 44676 4
JA3 Host Stats:
IP Address # JA3C
1 192.168.43.167 2
- 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][Goodput ratio: 45/92][0.71 sec][ALPN: h2;http/1.1][bytes ratio: -0.782 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/20 114/119 43/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99/694 272/1364 68/594][TLSv1.2][Client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,8,4,0,0,8,0,4,4,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,33,0,0,0,0,0,0,0]
- 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][Goodput ratio: 50/89][0.52 sec][ALPN: h2;http/1.1][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/25 105/106 34/35][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 110/516 334/1364 76/542][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,28,13,4,0,0,4,0,9,4,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0]
- 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43/93][0.44 sec][ALPN: h2;http/1.1][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/32 188/124 74/51][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 98/774 264/1364 75/597][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,10,10,0,0,10,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0]
- 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91/TLS][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43/93][0.36 sec][ALPN: h2;http/1.1][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 60/32 136/140 59/53][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 98/774 264/1364 75/597][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,10,10,0,0,10,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0]
+ 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91.208/TLS.DNScrypt][cat: Web/5][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][Goodput ratio: 45/92][0.71 sec][ALPN: h2;http/1.1][bytes ratio: -0.782 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/20 114/119 43/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99/694 272/1364 68/594][TLSv1.2][Client: simplednscrypt.org][JA3C: b8f81673c0e1d29908346f3bab892b9b][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,8,4,0,0,8,0,4,4,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,33,0,0,0,0,0,0,0]
+ 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91.208/TLS.DNScrypt][cat: Web/5][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][Goodput ratio: 50/89][0.52 sec][ALPN: h2;http/1.1][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 25/25 105/106 34/35][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 110/516 334/1364 76/542][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,28,13,4,0,0,4,0,9,4,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0]
+ 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91.208/TLS.DNScrypt][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43/93][0.44 sec][ALPN: h2;http/1.1][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/32 188/124 74/51][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 98/774 264/1364 75/597][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,10,10,0,0,10,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0]
+ 4 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91.208/TLS.DNScrypt][cat: Web/5][8 pkts/780 bytes <-> 10 pkts/7735 bytes][Goodput ratio: 43/93][0.36 sec][ALPN: h2;http/1.1][bytes ratio: -0.817 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 60/32 136/140 59/53][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 98/774 264/1364 75/597][TLSv1.2][Client: simplednscrypt.org][JA3C: 83e04bc58d402f9633983cbf22724b02][ServerNames: simplednscrypt.org,www.simplednscrypt.org][JA3S: 76cc3e2d3028143b23ec18e27dbd7ca9][Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA][Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org][Certificate SHA-1: 3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41][Validity: 2015-09-21 00:00:00 - 2017-09-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,10,10,0,0,10,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0]
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
index 73dc628c8..7d64114d2 100644
--- a/tests/result/skype.pcap.out
+++ b/tests/result/skype.pcap.out
@@ -5,9 +5,9 @@ SSDP 101 38156 6
SkypeCall 152 10704 144
ICMP 8 656 1
IGMP 5 258 4
-TLS 518 214677 10
+TLS 131 16587 9
Dropbox 38 17948 5
-Skype 1409 253031 79
+Skype 1796 451121 80
Apple 17 2225 3
AppleiCloud 88 20520 2
Spotify 5 430 1
@@ -17,7 +17,7 @@ JA3 Host Stats:
1 192.168.1.34 3
- 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71/92][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002/608 30166/30261 4602/3439][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227/778 1506/1506 423/553][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,1,2,5,0,1,2,0,0,3,0,1,0,1,0,0,0,1,1,0,0,0,2,0,1,0,0,12,2,1,0,0,0,0,0,0,2,0,0,0,2,4,0,0,0,30,0,0]
+ 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][Goodput ratio: 71/92][166.18 sec][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002/608 30166/30261 4602/3439][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227/778 1506/1506 423/553][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,1,2,5,0,1,2,0,0,3,0,1,0,1,0,0,0,1,1,0,0,0,2,0,1,0,0,12,2,1,0,0,0,0,0,0,2,0,0,0,2,4,0,0,0,30,0,0]
2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][Goodput ratio: 75/85][96.43 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 448/357 8300/8646 1136/1099][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 261/433 1506/1506 343/569][PLAIN TEXT ( 0sKWL)][Plen Bins: 28,12,3,3,9,3,1,0,1,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,23,0,0]
3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][160.13 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1136/0 19950/0 4579/0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373/0 405/0 29/0][PLAIN TEXT (NOTIFY )][Plen Bins: 0,0,0,0,0,0,0,0,8,30,18,42,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][Goodput ratio: 76/77][46.31 sec][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 115/85 899/1012 250/251][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224/248 680/1494 261/324][Risk: ** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 16,20,2,0,0,0,0,2,0,0,14,0,0,0,0,4,2,7,7,16,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index dda6eaf51..b2ac23864 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -7,9 +7,9 @@ SMBv1 5 1100 3
SkypeCall 154 10918 146
ICMP 4 328 1
IGMP 4 226 4
-TLS 521 241068 11
+TLS 173 59381 10
Dropbox 16 7342 5
-Skype 837 150140 59
+Skype 1185 331827 60
Apple 84 20699 2
JA3 Host Stats:
@@ -17,7 +17,7 @@ JA3 Host Stats:
1 192.168.1.34 3
- 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 72/92][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 370/331 45360/45460 3946/3736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235/784 1506/1506 433/565][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,2,1,5,0,1,2,0,0,3,0,0,0,1,0,0,0,1,1,0,0,1,1,0,1,0,1,10,1,1,0,0,0,0,0,0,2,0,0,0,3,5,0,0,0,30,0,0]
+ 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 72/92][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 370/331 45360/45460 3946/3736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235/784 1506/1506 433/565][Risk: ** Obsolete TLS version (< 1.1) **][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,2,1,5,0,1,2,0,0,3,0,0,0,1,0,0,0,1,1,0,0,1,1,0,1,0,1,10,1,1,0,0,0,0,0,0,2,0,0,0,3,5,0,0,0,30,0,0]
2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][Goodput ratio: 78/89][22.75 sec][bytes ratio: -0.323 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238/215 3095/3095 411/401][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 304/612 1506/1506 406/626][PLAIN TEXT (nZREBS)][Plen Bins: 26,8,2,1,4,2,0,1,0,4,1,0,0,2,0,0,2,1,1,1,2,0,0,0,0,0,0,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,30,0,0]
3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77/80][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2273/323 55625/8255 10014/1510][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239/276 680/1494 273/358][PLAIN TEXT (/tBGEll)][Plen Bins: 16,16,0,0,0,0,0,0,0,0,16,0,0,0,0,5,2,5,13,16,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0]
4 TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 91/TLS][cat: Web/5][19 pkts/16968 bytes <-> 7 pkts/531 bytes][Goodput ratio: 93/13][10.40 sec][bytes ratio: 0.939 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 625/19 4127/44 1113/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 893/76 1506/123 670/20][Plen Bins: 27,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,51,0,0]
Powered by cgit, Themed by Ted Yin.