From 4802987178a0a49ea5ff4a01e92a35b5517734dc Mon Sep 17 00:00:00 2001 From: Luca Date: Thu, 31 Oct 2019 00:14:20 +0100 Subject: Initial work towards HTTP content-type export --- example/ndpiReader.c | 5 +- example/reader_util.c | 2 + example/reader_util.h | 2 +- src/include/ndpi_typedefs.h | 2 +- src/lib/ndpi_main.c | 23 ++++++- src/lib/ndpi_utils.c | 10 ++- src/lib/protocols/http.c | 53 +++++++++------ tests/result/1kxun.pcap.out | 36 +++++------ tests/result/6in4tunnel.pcap.out | 2 +- tests/result/EAQ.pcap.out | 4 +- tests/result/KakaoTalk_chat.pcap.out | 4 +- tests/result/KakaoTalk_talk.pcap.out | 3 +- tests/result/anyconnect-vpn.pcap.out | 11 ++-- tests/result/instagram.pcap.out | 14 ++-- tests/result/malware.pcap.out | 2 +- tests/result/mpeg.pcap.out | 2 +- tests/result/netflix.pcap.out | 54 ++++++++-------- tests/result/ocs.pcap.out | 10 +-- tests/result/pps.pcap.out | 114 ++++++++++++++++----------------- tests/result/quickplay.pcap.out | 42 ++++++------ tests/result/starcraft_battle.pcap.out | 40 ++++++------ tests/result/waze.pcap.out | 16 ++--- tests/result/webex.pcap.out | 4 +- tests/result/weibo.pcap.out | 20 +++--- 24 files changed, 260 insertions(+), 215 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 364ee6b50..268fea160 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1143,8 +1143,9 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa } if(flow->http.url[0] != '\0') - fprintf(out, "[URL: %s][StatusCode: %u]", - flow->http.url, flow->http.response_status_code); + fprintf(out, "[URL: %s][StatusCode: %u][ContentType: %s][UserAgent: %s]", + flow->http.url, flow->http.response_status_code, + flow->http.content_type, flow->http.user_agent); if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls)); if(flow->ssh_tls.client_info[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_info); diff --git a/example/reader_util.c b/example/reader_util.c index 3d9fde695..44e02616e 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -980,6 +980,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->ndpi_flow->http.url != NULL) { snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url); flow->http.response_status_code = flow->ndpi_flow->http.response_status_code; + snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : ""); + snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : ""); } } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) { snprintf(flow->telnet.username, sizeof(flow->telnet.username), "%s", flow->ndpi_flow->protos.telnet.username); diff --git a/example/reader_util.h b/example/reader_util.h index 3ca584c18..93df6b03a 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -194,7 +194,7 @@ typedef struct ndpi_flow_info { } ssh_tls; struct { - char url[256]; + char url[256], content_type[64], user_agent[128]; u_int response_status_code; } http; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 1795ed5f1..04e439221 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1168,7 +1168,7 @@ struct ndpi_flow_struct { */ struct { ndpi_http_method method; - char *url, *content_type; + char *url, *content_type, *user_agent; u_int8_t num_request_headers, num_response_headers; u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ u_int16_t response_status_code; /* 200, 404, etc. */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index ac8364761..3859bcb98 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3736,6 +3736,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->http.url) ndpi_free(flow->http.url); if(flow->http.content_type) ndpi_free(flow->http.content_type); + if(flow->http.user_agent) ndpi_free(flow->http.user_agent); backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; @@ -5067,15 +5068,30 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type: ", 14) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[14]; packet->content_line.len = packet->line[packet->parsed_lines].len - 14; + + while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' ')) + packet->content_line.len--, packet->content_line.ptr++; + packet->http_num_headers++; } /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ - if(packet->line[packet->parsed_lines].len > 13 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0) { + if((packet->content_line.len == 0) + && (packet->line[packet->parsed_lines].len > 13) + && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[13]; packet->content_line.len = packet->line[packet->parsed_lines].len - 13; packet->http_num_headers++; } + + if(packet->content_line.len > 0) { + /* application/json; charset=utf-8 */ + char *c = strchr((char*)packet->content_line.ptr, ';'); + + if(c != NULL) { + packet->content_line.len = c - (char*)packet->content_line.ptr; + } + } + /* "Accept:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { @@ -6249,8 +6265,9 @@ int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_str, void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow) { - if(flow->http.url) ndpi_free(flow->http.url); + if(flow->http.url) ndpi_free(flow->http.url); if(flow->http.content_type) ndpi_free(flow->http.content_type); + if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->l4_proto == IPPROTO_TCP) { if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index dbe5d7901..f11f074cd 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -966,12 +966,20 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_end_of_block(serializer); break; + case NDPI_PROTOCOL_TELNET: + ndpi_serialize_start_of_block(serializer, "telnet"); + ndpi_serialize_string_string(serializer, "username", flow->protos.telnet.username); + ndpi_serialize_end_of_block(serializer); + break; + case NDPI_PROTOCOL_HTTP: ndpi_serialize_start_of_block(serializer, "http"); if(flow->host_server_name[0] != '\0') ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name); - ndpi_serialize_string_string(serializer, "url", flow->http.url); + ndpi_serialize_string_string(serializer, "url", flow->http.url); ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code); + ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type); + ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent); ndpi_serialize_end_of_block(serializer); break; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index b73a1aeee..2525cfbd7 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -39,7 +39,7 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_ #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif - + if((flow->host_server_name[0] != '\0') && (flow->http.response_status_code != 0)) { /* stop extra processing */ flow->extra_packets_func = NULL; /* We're good now */ @@ -61,7 +61,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) return; /* Nothing new to add */ - + /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ ndpi_search_tcp_or_udp(ndpi_struct, flow); @@ -71,9 +71,9 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); } else ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); - + /* This is necessary to inform the core to call this dissector again */ - flow->check_extra_packets = 1; + flow->check_extra_packets = 1; flow->max_extra_packets_to_check = 5; flow->extra_packets_func = ndpi_search_http_tcp_again; flow->http_detected = 1, flow->guessed_category = category; @@ -134,9 +134,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ struct ndpi_packet_struct *packet = &flow->packet; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); - - if(flow->http_detected && (flow->http.response_status_code != 0)) - return; + + if(flow->http_detected && (flow->http.response_status_code != 0)) + return; #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* PPStream */ @@ -200,17 +200,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { - int len = packet->content_line.len + 1; - - flow->http.content_type = ndpi_malloc(len); - if(flow->http.content_type) { - strncpy(flow->http.content_type, (char*)packet->content_line.ptr, - packet->content_line.len); - flow->http.content_type[packet->content_line.len] = '\0'; - } - } - if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { /** Format examples: @@ -276,6 +265,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } + if(flow->http.user_agent == NULL) { + int len = packet->user_agent_line.len + 1; + + flow->http.user_agent = ndpi_malloc(len); + if(flow->http.user_agent) { + strncpy(flow->http.user_agent, (char*)packet->user_agent_line.ptr, + packet->user_agent_line.len); + flow->http.user_agent[packet->user_agent_line.len] = '\0'; + } + } + NDPI_LOG_DBG2(ndpi_struct, "User Agent Type line found %.*s\n", packet->user_agent_line.len, packet->user_agent_line.ptr); } @@ -383,6 +383,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); + if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { + int len = packet->content_line.len + 1; + + flow->http.content_type = ndpi_malloc(len); + if(flow->http.content_type) { + strncpy(flow->http.content_type, (char*)packet->content_line.ptr, + packet->content_line.len); + flow->http.content_type[packet->content_line.len] = '\0'; + } + } + if(flow->http_detected) { ndpi_protocol_match_result ret_match; @@ -491,7 +502,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->http.response_status_code = 0; /* Out of range */ } - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -615,7 +626,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct x++; } #endif - + #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* check PPStream protocol or iQiyi service (iqiyi is delivered by ppstream) */ @@ -688,7 +699,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->http_detected = 1; NDPI_LOG_DBG2(ndpi_struct, "HTTP START Found, we will look further for the response...\n"); - flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 check_content_type_and_change_protocol(ndpi_struct, flow); return; } diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 9e7358398..73d91f0af 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -19,42 +19,42 @@ JA3 Host Stats: 1 192.168.5.16 2 - 1 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7/HTTP][cat: Web/5][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Host: 183.131.48.144][bytes ratio: -0.836 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 189.9/321.4 862/665 235.6/194.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 58.0/1060.5 557/1078 44.0/127.3][URL: 183.131.48.144/vlive.qqvideo.tc.qq.com/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE656][StatusCode: 206][PLAIN TEXT (GET /vlive.qq)] - 2 TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][18 pkts/1722 bytes <-> 51 pkts/61707 bytes][Host: pic.1kxun.com][bytes ratio: -0.946 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3472.5/1028.9 44994/45054 11986.3/6713.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 95.7/1209.9 416/1314 113.3/325.4][URL: pic.1kxun.com/video_kankan/images/videos/18283-jfyj3.jpg][StatusCode: 200][PLAIN TEXT (GET /video)] - 3 TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][18 pkts/2440 bytes <-> 43 pkts/49237 bytes][Host: pic.1kxun.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3465.9/3.9 44999/62 11989.6/12.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 135.6/1145.0 415/1314 149.1/400.0][URL: pic.1kxun.com/video_kankan/images/videos/3578-ywzj.jpg][StatusCode: 200][PLAIN TEXT (GET /video)] - 4 TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][24 pkts/2786 bytes <-> 41 pkts/46203 bytes][Host: pic.1kxun.com][bytes ratio: -0.886 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2648.9/11.6 44748/253 10524.9/44.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.1/1126.9 415/1314 133.3/398.1][URL: pic.1kxun.com/video_kankan/images/videos/3713-ydm.jpg][StatusCode: 200][PLAIN TEXT (GET /video)] - 5 TCP 192.168.115.8:49604 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][20 pkts/2564 bytes <-> 38 pkts/43013 bytes][Host: pic.1kxun.com][bytes ratio: -0.887 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3006.5/1410.1 44996/45052 11222.2/7838.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 128.2/1131.9 423/1314 145.2/402.7][URL: pic.1kxun.com/video_kankan/images/videos/4657-jfyj.jpg][StatusCode: 200][PLAIN TEXT (GET /video)] - 6 TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][22 pkts/1926 bytes <-> 28 pkts/33821 bytes][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.892 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15.8/8.0 194/109 46.1/23.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 87.5/1207.9 411/1314 102.3/329.2][URL: jp.kankan.1kxun.mobi/api/movies/mp4script/10410?definition=true][StatusCode: 200][PLAIN TEXT (GET /api/movies/mp4)] - 7 TCP 192.168.115.8:49599 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][16 pkts/1612 bytes <-> 27 pkts/29579 bytes][Host: pic.1kxun.com][bytes ratio: -0.897 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11.6/6.1 66/65 22.8/18.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 100.8/1095.5 415/1314 118.8/461.2][URL: pic.1kxun.com/video_kankan/images/videos/13480-alps.jpg][StatusCode: 200][PLAIN TEXT (GET /video)] - 8 TCP 192.168.115.8:49603 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][12 pkts/1396 bytes <-> 22 pkts/24184 bytes][Host: pic.1kxun.com][bytes ratio: -0.891 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5632.4/3.6 45001/65 14880.0/14.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.3/1099.3 415/1314 133.6/455.3][URL: pic.1kxun.com/video_kankan/images/videos/16649-ljdz.jpg][StatusCode: 200][PLAIN TEXT (GET /video)] - 9 TCP 192.168.115.8:49609 <-> 42.120.51.152:8080 [proto: 7/HTTP][cat: Web/5][20 pkts/4716 bytes <-> 13 pkts/7005 bytes][Host: 42.120.51.152][bytes ratio: -0.195 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 48.8/52.0 298/178 81.1/57.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235.8/538.8 499/1314 192.8/555.7][URL: 42.120.51.152:8080/api/proxy?url=http%3A%2F%2Fvv.video.qq.com%2Fgetvinfo][StatusCode: 100][PLAIN TEXT (POST /api/proxy)] - 10 TCP 192.168.5.16:53627 <-> 203.69.81.73:80 [proto: 7/HTTP][cat: Web/5][6 pkts/676 bytes <-> 8 pkts/8822 bytes][Host: dl-obs.official.line.naver.jp][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 3.8/1.8 10/8 3.7/3.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.7/1102.8 334/1514 99.1/610.2][URL: dl-obs.official.line.naver.jp/r/talk/m/4697716954688/preview][StatusCode: 200][PLAIN TEXT (FGET /r/talk/m/4697716954688/pr)] - 11 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 7/HTTP][cat: Web/5][6 pkts/676 bytes <-> 8 pkts/8482 bytes][Host: dl-obs.official.line.naver.jp][bytes ratio: -0.852 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3.2/1.7 10/6 4.1/2.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.7/1060.2 334/1514 99.1/619.9][URL: dl-obs.official.line.naver.jp/r/talk/m/4697716971500/preview][StatusCode: 200][PLAIN TEXT (GGET /r/talk/m/4697716971500/pr)] + 1 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7/HTTP][cat: Web/5][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Host: 183.131.48.144][bytes ratio: -0.836 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 189.9/321.4 862/665 235.6/194.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 58.0/1060.5 557/1078 44.0/127.3][URL: 183.131.48.144/vlive.qqvideo.tc.qq.com/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE656][StatusCode: 206][ContentType: video/mp4][UserAgent: ][PLAIN TEXT (GET /vlive.qq)] + 2 TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][18 pkts/1722 bytes <-> 51 pkts/61707 bytes][Host: pic.1kxun.com][bytes ratio: -0.946 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3472.5/1028.9 44994/45054 11986.3/6713.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 95.7/1209.9 416/1314 113.3/325.4][URL: pic.1kxun.com/video_kankan/images/videos/18283-jfyj3.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)] + 3 TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][18 pkts/2440 bytes <-> 43 pkts/49237 bytes][Host: pic.1kxun.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3465.9/3.9 44999/62 11989.6/12.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 135.6/1145.0 415/1314 149.1/400.0][URL: pic.1kxun.com/video_kankan/images/videos/3578-ywzj.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)] + 4 TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][24 pkts/2786 bytes <-> 41 pkts/46203 bytes][Host: pic.1kxun.com][bytes ratio: -0.886 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2648.9/11.6 44748/253 10524.9/44.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.1/1126.9 415/1314 133.3/398.1][URL: pic.1kxun.com/video_kankan/images/videos/3713-ydm.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)] + 5 TCP 192.168.115.8:49604 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][20 pkts/2564 bytes <-> 38 pkts/43013 bytes][Host: pic.1kxun.com][bytes ratio: -0.887 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3006.5/1410.1 44996/45052 11222.2/7838.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 128.2/1131.9 423/1314 145.2/402.7][URL: pic.1kxun.com/video_kankan/images/videos/4657-jfyj.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)] + 6 TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][22 pkts/1926 bytes <-> 28 pkts/33821 bytes][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.892 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15.8/8.0 194/109 46.1/23.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 87.5/1207.9 411/1314 102.3/329.2][URL: jp.kankan.1kxun.mobi/api/movies/mp4script/10410?definition=true][StatusCode: 200][ContentType: text/xml][UserAgent: ][PLAIN TEXT (GET /api/movies/mp4)] + 7 TCP 192.168.115.8:49599 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][16 pkts/1612 bytes <-> 27 pkts/29579 bytes][Host: pic.1kxun.com][bytes ratio: -0.897 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11.6/6.1 66/65 22.8/18.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 100.8/1095.5 415/1314 118.8/461.2][URL: pic.1kxun.com/video_kankan/images/videos/13480-alps.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)] + 8 TCP 192.168.115.8:49603 <-> 106.187.35.246:80 [proto: 7/HTTP][cat: Streaming/17][12 pkts/1396 bytes <-> 22 pkts/24184 bytes][Host: pic.1kxun.com][bytes ratio: -0.891 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5632.4/3.6 45001/65 14880.0/14.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 116.3/1099.3 415/1314 133.6/455.3][URL: pic.1kxun.com/video_kankan/images/videos/16649-ljdz.jpg][StatusCode: 200][ContentType: image/jpeg][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /video)] + 9 TCP 192.168.115.8:49609 <-> 42.120.51.152:8080 [proto: 7/HTTP][cat: Web/5][20 pkts/4716 bytes <-> 13 pkts/7005 bytes][Host: 42.120.51.152][bytes ratio: -0.195 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 48.8/52.0 298/178 81.1/57.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235.8/538.8 499/1314 192.8/555.7][URL: 42.120.51.152:8080/api/proxy?url=http%3A%2F%2Fvv.video.qq.com%2Fgetvinfo][StatusCode: 100][ContentType: application/x-www-form-urlencoded][UserAgent: Mozilla/5.0][PLAIN TEXT (POST /api/proxy)] + 10 TCP 192.168.5.16:53627 <-> 203.69.81.73:80 [proto: 7/HTTP][cat: Web/5][6 pkts/676 bytes <-> 8 pkts/8822 bytes][Host: dl-obs.official.line.naver.jp][bytes ratio: -0.858 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 3.8/1.8 10/8 3.7/3.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.7/1102.8 334/1514 99.1/610.2][URL: dl-obs.official.line.naver.jp/r/talk/m/4697716954688/preview][StatusCode: 200][ContentType: image/jpeg][UserAgent: DESKTOP:MAC:10.10.5-YOSEMITE(4.7.2)][PLAIN TEXT (FGET /r/talk/m/4697716954688/pr)] + 11 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 7/HTTP][cat: Web/5][6 pkts/676 bytes <-> 8 pkts/8482 bytes][Host: dl-obs.official.line.naver.jp][bytes ratio: -0.852 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3.2/1.7 10/6 4.1/2.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 112.7/1060.2 334/1514 99.1/619.9][URL: dl-obs.official.line.naver.jp/r/talk/m/4697716971500/preview][StatusCode: 200][ContentType: image/jpeg][UserAgent: DESKTOP:MAC:10.10.5-YOSEMITE(4.7.2)][PLAIN TEXT (GGET /r/talk/m/4697716971500/pr)] 12 UDP [fe80::9bd:81dd:2fdc:5750]:1900 -> [ff02::c]:1900 [proto: 12/SSDP][cat: System/18][16 pkts/8921 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 103/0 511.6/0.0 2044/0 526.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 510/0 557.6/0.0 590/0 29.6/0.0][PLAIN TEXT (NOTIFY )] 13 UDP 192.168.5.49:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][16 pkts/8473 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 102/0 511.5/0.0 2044/0 526.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 482/0 529.6/0.0 562/0 29.6/0.0][PLAIN TEXT (NOTIFY )] 14 TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91/TLS][cat: Web/5][13 pkts/6269 bytes <-> 10 pkts/1165 bytes][bytes ratio: 0.687 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/31 352.0/2546.4 3289/14274 979.8/4917.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 482.2/116.5 1514/386 581.5/101.3] - 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 70.1/191.0 476/506 135.7/201.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 197.2/200.0 499/372 175.9/149.1][URL: vv.video.qq.com/getvinfo][StatusCode: 100][PLAIN TEXT (POST /getvinfo HTTP/1.1)] + 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com][bytes ratio: 0.434 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 70.1/191.0 476/506 135.7/201.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 197.2/200.0 499/372 175.9/149.1][URL: vv.video.qq.com/getvinfo][StatusCode: 100][ContentType: ][UserAgent: Mozilla/5.0][PLAIN TEXT (POST /getvinfo HTTP/1.1)] 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][cat: Network/14][14 pkts/4788 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 412/0 3105.8/0.0 12289/0 3176.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0] 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][4 pkts/2050 bytes <-> 5 pkts/2297 bytes][bytes ratio: -0.057 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/0 60.0/44.0 176/133 82.0/54.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 512.5/459.4 1159/1464 468.4/535.8] 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][bytes ratio: 0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 2322.6/4176.2 15252/15254 4895.4/5951.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 178.1/210.4 1067/1055 287.5/323.1][TLSv1.2][Client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 746.1/1336.2 5987/5987 1865.2/2340.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 177.7/210.4 1067/1055 287.4/323.1][TLSv1.2][Client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][bytes ratio: 0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 753.4/1500.5 5998/5998 1982.3/2596.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 189.5/231.9 1067/1055 298.9/340.1][TLSv1.2][Client: 1][JA3C: 618ee2509ef52bf0b8216e1564eea909][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.338 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6.2/16.0 36/43 13.3/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 141.0/456.4 390/1314 143.8/511.5][URL: jp.kankan.1kxun.mobi/api/videos/10410.json][StatusCode: 200][PLAIN TEXT (GET /api/videos/10410.j)] + 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.338 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 6.2/16.0 36/43 13.3/19.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 141.0/456.4 390/1314 143.8/511.5][URL: jp.kankan.1kxun.mobi/api/videos/10410.json][StatusCode: 200][ContentType: application/json][UserAgent: ][PLAIN TEXT (GET /api/videos/10410.j)] 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 981.8/1763.2 6000/6000 1977.8/2381.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 176.6/158.4 1051/639 283.0/188.4][TLSv1.2][Client: 1][JA3C: 799135475da362592a4be9199d258726][JA3S: 573a9f3f80037fb40d481e2054def5bb (WEAK)][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA] - 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.024 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 5638.9/28.5 44799/53 14801.4/24.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 139.4/366.0 468/1272 164.4/523.1][URL: jp.kankan.1kxun.mobi/api/videos/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377698][StatusCode: 200][PLAIN TEXT (GET /api/videos/10410.j)] + 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7/HTTP][cat: Streaming/17][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi][bytes ratio: -0.024 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 5638.9/28.5 44799/53 14801.4/24.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 139.4/366.0 468/1272 164.4/523.1][URL: jp.kankan.1kxun.mobi/api/videos/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377698][StatusCode: 200][ContentType: application/x-javascript][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /api/videos/10410.j)] 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][5 pkts/1006 bytes <-> 5 pkts/1487 bytes][bytes ratio: -0.193 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 63.5/63.5 205/212 84.1/87.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 201.2/297.4 471/1223 139.5/462.8] 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][14 pkts/2450 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2968/0 4488.2/0.0 17921/0 4136.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] - 26 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7/HTTP][cat: Streaming/17][10 pkts/1406 bytes <-> 4 pkts/980 bytes][Host: kankan.1kxun.com][bytes ratio: 0.179 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/9 5642.8/39.5 44798/70 14799.6/30.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 140.6/245.0 474/788 166.8/313.5][URL: kankan.1kxun.com/api/videos/alsolikes/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377899][StatusCode: 200][PLAIN TEXT (GET /api/videos/alsolikes/10410)] - 27 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 7/HTTP][cat: Web/5][10 pkts/1428 bytes <-> 4 pkts/867 bytes][Host: 183.131.48.145][bytes ratio: 0.244 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28.5/41.5 74/83 34.4/41.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 142.8/216.8 486/687 171.7/271.5][URL: 183.131.48.145/vlive.qqvideo.tc.qq.com/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE656][StatusCode: 302][PLAIN TEXT (GET /vlive.qq)] + 26 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7/HTTP][cat: Streaming/17][10 pkts/1406 bytes <-> 4 pkts/980 bytes][Host: kankan.1kxun.com][bytes ratio: 0.179 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/9 5642.8/39.5 44798/70 14799.6/30.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 140.6/245.0 474/788 166.8/313.5][URL: kankan.1kxun.com/api/videos/alsolikes/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377899][StatusCode: 200][ContentType: application/json][UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22][PLAIN TEXT (GET /api/videos/alsolikes/10410)] + 27 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 7/HTTP][cat: Web/5][10 pkts/1428 bytes <-> 4 pkts/867 bytes][Host: 183.131.48.145][bytes ratio: 0.244 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28.5/41.5 74/83 34.4/41.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 142.8/216.8 486/687 171.7/271.5][URL: 183.131.48.145/vlive.qqvideo.tc.qq.com/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE656][StatusCode: 302][ContentType: ][UserAgent: ][PLAIN TEXT (GET /vlive.qq)] 28 UDP 192.168.5.44:51389 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][13 pkts/2275 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2967/0 5110.0/0.0 15056/0 4451.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] 29 UDP 192.168.3.95:59468 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][12 pkts/2100 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2967/0 4198.4/0.0 14952/0 3584.8/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] 30 UDP 192.168.5.9:55484 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][12 pkts/2100 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2968/0 4679.7/0.0 19869/0 5063.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] - 31 TCP 192.168.5.16:53624 <-> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][7 pkts/996 bytes <-> 5 pkts/986 bytes][Host: api.magicansoft.com][bytes ratio: 0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/8 2390.6/3919.0 11352/11551 4481.4/5397.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142.3/197.2 331/390 116.9/157.4][URL: api.magicansoft.com/comMagicanApi/composite/app.php/Global/Index/ip][StatusCode: 502][PLAIN TEXT (GET /comMagicanApi/composite/ap)] + 31 TCP 192.168.5.16:53624 <-> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][7 pkts/996 bytes <-> 5 pkts/986 bytes][Host: api.magicansoft.com][bytes ratio: 0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/8 2390.6/3919.0 11352/11551 4481.4/5397.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 142.3/197.2 331/390 116.9/157.4][URL: api.magicansoft.com/comMagicanApi/composite/app.php/Global/Index/ip][StatusCode: 502][ContentType: text/html][UserAgent: Magican (unknown version) CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)][PLAIN TEXT (GET /comMagicanApi/composite/ap)] 32 UDP 192.168.101.33:55485 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][10 pkts/1750 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2969/0 5540.9/0.0 19870/0 5204.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] 33 UDP 192.168.5.49:51704 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][9 pkts/1611 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2965/0 5631.2/0.0 15155/0 3854.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 179/0 179.0/0.0 179/0 0.0/0.0][PLAIN TEXT (SEARCH )] 34 UDP 192.168.5.50:64674 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][9 pkts/1611 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2949/0 7126.4/0.0 24065/0 7503.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 179/0 179.0/0.0 179/0 0.0/0.0][PLAIN TEXT (SEARCH )] 35 UDP 192.168.5.37:57325 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][9 pkts/1575 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2969/0 5631.9/0.0 18024/0 4842.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] - 36 TCP 192.168.115.8:49607 <-> 218.244.135.170:9099 [proto: 7/HTTP][cat: Web/5][10 pkts/880 bytes <-> 3 pkts/572 bytes][Host: 218.244.135.170][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/119 53.9/119.0 318/119 106.3/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 88.0/190.7 212/446 62.2/180.6][URL: 218.244.135.170:9099/api/qqlive_ckey/get?vid=y0013xaeeyo&platform=10902][StatusCode: 200][PLAIN TEXT (GET /api/qq)] + 36 TCP 192.168.115.8:49607 <-> 218.244.135.170:9099 [proto: 7/HTTP][cat: Web/5][10 pkts/880 bytes <-> 3 pkts/572 bytes][Host: 218.244.135.170][bytes ratio: 0.212 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/119 53.9/119.0 318/119 106.3/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 88.0/190.7 212/446 62.2/180.6][URL: 218.244.135.170:9099/api/qqlive_ckey/get?vid=y0013xaeeyo&platform=10902][StatusCode: 200][ContentType: ][UserAgent: Mozilla/5.0][PLAIN TEXT (GET /api/qq)] 37 UDP 192.168.5.47:60267 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][8 pkts/1432 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2968/0 5441.7/0.0 17101/0 4875.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 179/0 179.0/0.0 179/0 0.0/0.0][PLAIN TEXT (SEARCH )] 38 UDP 192.168.5.41:55312 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][8 pkts/1400 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2949/0 8173.7/0.0 27242/0 8848.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 175/0 175.0/0.0 175/0 0.0/0.0][PLAIN TEXT (SEARCH )] 39 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][4 pkts/1368 bytes -> 0 pkts/0 bytes][Host: shen][DHCP Fingerprint: 1,121,3,6,15,119,252][PLAIN TEXT (android)] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index e7bc6d0f4..34879997f 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -12,7 +12,7 @@ JA3 Host Stats: 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/TLS][cat: Web/5][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][bytes ratio: -0.700 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 52.8/36.3 142/142 56.7/54.5][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 165.1/934.6 629/1847 138.8/679.8][TLSv1.2][Client: mail.tomasu.net][JA3C: 812d8bce0f85487ba7834d36568ed586][Server: mail.tomasu.net][JA3S: 389ed42c02ebecc32e73aa31def07e14][Certificate SHA-1: 9C:00:A2:31:8F:66:C6:E2:D8:E8:1E:6F:52:49:AD:15:0A:8B:7C:68][Validity: 2014-01-29 00:00:00 - 2019-01-28 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 20.1/23.5 98/97 33.1/35.6][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 383.0/468.8 1504/1911 467.5/575.9][TLSv1.2][Client: www.facebook.com][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: 93:C6:FD:1A:84:90:BB:F1:B2:3B:49:A0:9B:1F:6F:0B:46:7A:31:41][Validity: 2014-08-28 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1000/992 1000.8/1000.8 1001/1012 0.4/4.2][Pkt Len c2s/s2c min/avg/max/stddev: 138/138 138.0/138.0 138/138 0.0/0.0] - 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 163.8/56.0 495/110 170.8/54.0][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 131.0/251.5 248/680 52.4/247.4][URL: mail.tomasu.net/][StatusCode: 301][PLAIN TEXT (GET / HTTP/1.1)] + 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 163.8/56.0 495/110 170.8/54.0][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 131.0/251.5 248/680 52.4/247.4][URL: mail.tomasu.net/][StatusCode: 301][ContentType: text/html][UserAgent: Wget/1.16.3 (linux-gnu)][PLAIN TEXT (GET / HTTP/1.1)] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes][PLAIN TEXT (ds 0/u6)] 6 UDP [2001:470:1f16:13f::2]:53959 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/133 bytes <-> 1 pkts/273 bytes][Host: star.c10r.facebook.com][PLAIN TEXT (facebook)] 7 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][cat: SocialNetwork/6][1 pkts/133 bytes <-> 1 pkts/261 bytes][Host: star.c10r.facebook.com][PLAIN TEXT (facebook)] diff --git a/tests/result/EAQ.pcap.out b/tests/result/EAQ.pcap.out index f61f5b11d..d159305ab 100644 --- a/tests/result/EAQ.pcap.out +++ b/tests/result/EAQ.pcap.out @@ -1,8 +1,8 @@ Google 23 11743 2 EAQ 174 10092 29 - 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 7.126/HTTP.Google][cat: Web/5][8 pkts/591 bytes <-> 6 pkts/9998 bytes][Host: www.google.com.br][bytes ratio: -0.888 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/8 76.3/114.2 400/349 145.8/136.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 73.9/1666.3 193/2818 45.5/1240.4][URL: www.google.com.br/?gfe_rd=cr&ei=1BxnVcP9OKKk8we50oDAAg][StatusCode: 200][PLAIN TEXT (we50oDAAg HTTP/1.1)] - 2 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 7.126/HTTP.Google][cat: Web/5][5 pkts/390 bytes <-> 4 pkts/764 bytes][Host: www.google.com][bytes ratio: -0.324 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/10 50.8/49.5 139/89 54.1/39.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 78.0/191.0 154/602 38.8/237.3][URL: www.google.com/][StatusCode: 302][PLAIN TEXT (GET / HTTP/1.1)] + 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 7.126/HTTP.Google][cat: Web/5][8 pkts/591 bytes <-> 6 pkts/9998 bytes][Host: www.google.com.br][bytes ratio: -0.888 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/8 76.3/114.2 400/349 145.8/136.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 73.9/1666.3 193/2818 45.5/1240.4][URL: www.google.com.br/?gfe_rd=cr&ei=1BxnVcP9OKKk8we50oDAAg][StatusCode: 200][ContentType: text/html][UserAgent: test][PLAIN TEXT (we50oDAAg HTTP/1.1)] + 2 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 7.126/HTTP.Google][cat: Web/5][5 pkts/390 bytes <-> 4 pkts/764 bytes][Host: www.google.com][bytes ratio: -0.324 (Download)][IAT c2s/s2c min/avg/max/stddev: 6/10 50.8/49.5 139/89 54.1/39.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 78.0/191.0 154/602 38.8/237.3][URL: www.google.com/][StatusCode: 302][ContentType: text/html][UserAgent: test][PLAIN TEXT (GET / HTTP/1.1)] 3 UDP 10.8.0.1:39185 <-> 200.194.132.67:6000 [proto: 190/EAQ][cat: Network/14][5 pkts/290 bytes <-> 5 pkts/290 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 21509/21499 21642.0/21641.8 21860/21869 132.0/138.2][Pkt Len c2s/s2c min/avg/max/stddev: 58/58 58.0/58.0 58/58 0.0/0.0] 4 UDP 10.8.0.1:42620 <-> 200.194.148.66:6000 [proto: 190/EAQ][cat: Network/14][5 pkts/290 bytes <-> 5 pkts/290 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 20533/20540 21310.5/21309.5 21609/21619 449.8/445.7][Pkt Len c2s/s2c min/avg/max/stddev: 58/58 58.0/58.0 58/58 0.0/0.0] 5 UDP 10.8.0.1:43641 <-> 200.194.148.68:6000 [proto: 190/EAQ][cat: Network/14][5 pkts/290 bytes <-> 5 pkts/290 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 20541/20540 21309.5/21304.5 21618/21649 445.1/444.9][Pkt Len c2s/s2c min/avg/max/stddev: 58/58 58.0/58.0 58/58 0.0/0.0] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index 860c1c2ee..2d09187a8 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -23,8 +23,8 @@ JA3 Host Stats: 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2833.0/4340.0 12590/13131 4126.4/4406.8][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131.2/188.3 657/274 136.4/75.5] 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3455.9/3426.0 12765/12806 4427.1/4479.6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193.0/74.7 303/98 122.5/20.9] 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Organization: SAMSUNG ELECTRONICS CO., LTD][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Validity: 1999-12-31 15:02:10 - 2049-12-18 15:02:10][Cipher: TLS_RSA_WITH_RC4_128_MD5] - 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/40 114.7/101.7 264/210 105.6/76.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/104.5 243/339 73.2/104.9][URL: www.facebook.com/mobile/status.php][StatusCode: 204][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] - 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 43/38 5451.5/101.3 21457/215 9241.2/80.5][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/114.2 243/339 73.2/112.4][URL: www.facebook.com/mobile/status.php][StatusCode: 204][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] + 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com][bytes ratio: -0.126 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 40/40 114.7/101.7 264/210 105.6/76.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/104.5 243/339 73.2/104.9][URL: www.facebook.com/mobile/status.php][StatusCode: 204][ContentType: ][UserAgent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] + 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com][bytes ratio: -0.079 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 43/38 5451.5/101.3 21457/215 9241.2/80.5][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 97.4/114.2 243/339 73.2/112.4][URL: www.facebook.com/mobile/status.php][StatusCode: 204][ContentType: ][UserAgent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI/V6.4.3.0.KXDMICB)][PLAIN TEXT (GET /mobile/status.php HTTP/1.1)] 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][cat: Web/5][7 pkts/392 bytes <-> 7 pkts/392 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 136/98 3845.2/3844.4 13075/13111 4718.5/4734.8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 56.0/56.0 56/56 0.0/0.0] 14 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/TLS][cat: Web/5][2 pkts/112 bytes <-> 3 pkts/168 bytes] 15 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][2 pkts/139 bytes <-> 2 pkts/112 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 8093905de..065143677 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -20,7 +20,8 @@ JA3 Host Stats: 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 140.8/117.3 494/295 163.1/91.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195.5/78.0 735/189 228.1/34.6][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4202.8/4246.6 4716/5160 1130.8/719.3][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141.0/142.0 150/142 6.1/0.0] 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266.5/3766.4 4903/4991 1244.7/1143.7][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140.2/140.2 142/142 5.7/5.7] - 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Host: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406.0/438.7 2019/1166 732.2/514.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 139.6/87.1 665/262 198.8/71.4][URL: hkminorshort.weixin.qq.comhttp://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][PLAIN TEXT (POST http)] + 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][cat: Chat/9][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Host: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406.0/438.7 2019/1166 732.2/514.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 139.6/87.1 665/262 198.8/71.4][URL: hkminorshort.weixin.qq.comhttp://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][ContentType: application/octet-stream +Content-Disposition: attachment][UserAgent: MicroMessenger Client][PLAIN TEXT (POST http)] 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][6 pkts/543 bytes <-> 5 pkts/945 bytes][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 77/47 4920.2/8061.3 17431/17434 6679.4/7162.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 90.5/189.0 130/504 24.3/164.1] 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][3 pkts/1044 bytes <-> 2 pkts/154 bytes] 11 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 178/Amazon][cat: Web/5][2 pkts/225 bytes <-> 2 pkts/171 bytes][PLAIN TEXT (xiaomi.com)] diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out index 5a431f6df..887b740b7 100644 --- a/tests/result/anyconnect-vpn.pcap.out +++ b/tests/result/anyconnect-vpn.pcap.out @@ -26,12 +26,15 @@ JA3 Host Stats: 3 TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 90.8/63.5 593/619 144.9/135.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185.3/270.7 1261/1434 259.0/387.4][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 4 TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.8/26.1 48/88 21.3/28.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171.2/522.5 1175/1514 273.9/624.5][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][Server: *.pandion.viasat.com][JA3S: 01cbbd332fc4ce7d5925ebd825882842 (WEAK)][Organization: Viasat Inc.][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA] 5 TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866.5/28.1 11074/80 2946.8/34.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184.3/170.5 853/487 228.0/155.1][TLSv1.2][Client: slack.com][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] - 6 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824.1/3641.6 10081/10083 3592.5/4384.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 191.9/340.3 373/450 153.1/173.5][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][PLAIN TEXT (GET /success.txt)] + 6 TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824.1/3641.6 10081/10083 3592.5/4384.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 191.9/340.3 373/450 153.1/173.5][URL: detectportal.firefox.com/success.txt?ipv4][StatusCode: 200][ContentType: ][UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt)] 7 TCP 10.0.0.227:56320 <-> 10.0.0.149:8009 [proto: 161/CiscoVPN][cat: VPN/2][20 pkts/2420 bytes <-> 10 pkts/1760 bytes][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/5003 2648.5/5003.6 5001/5006 2494.5/1.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/176 121.0/176.0 176/176 55.0/0.0] 8 ICMPV6 [fe80::2e7e:81ff:feb0:4aa1]:0 -> [ff02::1]:0 [proto: 102/ICMPV6][cat: Network/14][16 pkts/2784 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2867/0 3027.8/0.0 3072/0 84.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 174/0 174.0/0.0 174/0 0.0/0.0] - 9 TCP 10.0.0.227:56955 <-> 10.0.0.151:8060 [proto: 7/HTTP][cat: Web/5][6 pkts/650 bytes <-> 5 pkts/1668 bytes][Host: 10.0.0.151][bytes ratio: -0.439 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 4.0/3.7 9/6 3.2/1.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108.3/333.6 308/1206 89.4/442.2][URL: 10.0.0.151:8060/dial/dd.xml][StatusCode: 200][PLAIN TEXT (GET /dial/dd.xml HTTP/1.1)] - 10 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Host: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694.2/6150.7 10081/10078 4344.1/4052.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 162.7/258.0 368/450 145.3/192.0][URL: detectportal.firefox.com/success.txt][StatusCode: 200][PLAIN TEXT (GET /success.txt HTTP/1.1)] - 11 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 7/HTTP][cat: Web/5][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Host: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2.3/3.0 6/3 2.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131.8/467.0 317/1261 107.1/561.5][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 200][PLAIN TEXT (HGET /ssdp/device)] + 9 TCP 10.0.0.227:56955 <-> 10.0.0.151:8060 [proto: 7/HTTP][cat: Web/5][6 pkts/650 bytes <-> 5 pkts/1668 bytes][Host: 10.0.0.151][bytes ratio: -0.439 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 4.0/3.7 9/6 3.2/1.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108.3/333.6 308/1206 89.4/442.2][URL: 10.0.0.151:8060/dial/dd.xml][StatusCode: 200][ContentType: text/xml][UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][PLAIN TEXT (GET /dial/dd.xml HTTP/1.1)] + 10 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Host: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694.2/6150.7 10081/10078 4344.1/4052.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 162.7/258.0 368/450 145.3/192.0][URL: detectportal.firefox.com/success.txt][StatusCode: 200][ContentType: ][UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt HTTP/1.1)] + 11 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 7/HTTP][cat: Web/5][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Host: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2.3/3.0 6/3 2.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131.8/467.0 317/1261 107.1/561.5][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 200][ContentType: application/xml + + +