From 72efa329db996a45f394457238b218252bae3e00 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 31 May 2016 12:20:25 +0200 Subject: Enhanced fragments support in ndpiReader Improved RX protocol dissection and removed port guess as it caused false positives. --- src/lib/ndpi_main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 2c4b491ed..fa32146a9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1532,8 +1532,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0); - ports_b[0].port_low = 7000; - ports_b[0].port_high = 7032; /* See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 */ + /* Port guess is disabled as this is UDP and we can figure our immediately looking + at the RX header, is this is RX or not + + See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 + */ ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_RX, no_master, no_master, "RX", -- cgit v1.2.3 From adbba699887af89e89e14d55ea614677750b02f4 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 19 Jun 2016 21:25:58 +0200 Subject: Removed false positives from CoAP protocol Improved DNS detection Added misisng default DropBox port Fix for #154 Added sample pcap of Tor traffic for regression testing --- example/ndpiReader.c | 2 +- src/lib/ndpi_main.c | 5 +++++ src/lib/protocols/coap.c | 38 +++++++++++++++++++++++++++----------- src/lib/protocols/dns.c | 18 ++++++++++-------- src/lib/protocols/dropbox.c | 1 - src/lib/protocols/tor.c | 7 ++++--- tests/pcap/tor.pcap | Bin 0 -> 3155084 bytes tests/result/tor.pcap.out | 17 +++++++++++++++++ 8 files changed, 64 insertions(+), 24 deletions(-) create mode 100644 tests/pcap/tor.pcap create mode 100644 tests/result/tor.pcap.out (limited to 'src/lib/ndpi_main.c') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index e51407592..deb61b681 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -633,7 +633,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { /* Preferences */ ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0; - ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 1; + ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 0; ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fa32146a9..cbac5cf8b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1365,6 +1365,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "QUIC", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DROPBOX, + no_master, + no_master, "Dropbox", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ, no_master, no_master, "EAQ", diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index cddf31b7e..5f8e97863 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -72,7 +72,7 @@ struct ndpi_coap_hdr [164] = "5.04 Gateway Timeout", [165] = "5.05 Proxying Not Supported" **/ - + /** * Entry point when protocol is identified. @@ -83,6 +83,20 @@ static void ndpi_int_coap_add_connection (struct ndpi_detection_module_struct *n ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_COAP,NDPI_PROTOCOL_UNKNOWN); } +/** + * Check if the default port is acceptable + * + * UDP Port 5683 (mandatory) + * UDP Ports 61616-61631 compressed 6lowPAN + */ +static int isCoAPport(u_int16_t port) { + if((port == 5683) + || ((port >= 61616) && (port <= 61631))) + return(1); + else + return(0); +} + /** * Dissector function that searches CoAP headers */ @@ -91,22 +105,24 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_coap_hdr * h = (struct ndpi_coap_hdr*) packet->payload; - + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } // search for udp packet if(packet->udp != NULL) { - - // header too short - if(packet->payload_packet_len < 4) { - + u_int16_t s_port = ntohs(flow->packet.udp->source); + u_int16_t d_port = ntohs(flow->packet.udp->dest); + + if((!isCoAPport(s_port) && !isCoAPport(s_port)) + || (packet->payload_packet_len < 4) // header too short + ) { NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "excluding Coap\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "calculating coap over udp.\n"); // check values in header @@ -116,21 +132,21 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) || (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Coap found...\n"); ndpi_int_coap_add_connection(ndpi_struct,flow); return; } } } - } + } } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Coap ...\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; - } + /** * Entry point for the ndpi library */ diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f95ebbc36..7ee114579 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -126,8 +126,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } else invalid = 1; - if(ndpi_struct->dns_dissect_response) - return; /* The response will set the verdict */ } else { /* DNS Reply */ @@ -198,11 +196,18 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd off++; } + flow->host_server_name[j] = '\0'; flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); + if(j > 0) + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_DNS); + #ifdef DNS_DEBUG printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", __FILE__, __LINE__, @@ -210,14 +215,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name ); #endif - - if(j > 0) - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - NDPI_PROTOCOL_DNS); if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + if(is_query && ndpi_struct->dns_dissect_response) + return; /* The response will set the verdict */ + /** Do not set the protocol with DNS if ndpi_match_host_subprotocol() has matched a subprotocol diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index f51de95d2..3e53b4224 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -44,7 +44,6 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t payload_len = packet->payload_packet_len; if(packet->udp != NULL) { - u_int16_t dropbox_port = htons(DB_LSP_PORT); if((packet->udp->source == dropbox_port) diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 7903bf511..cb926d5f0 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -24,7 +24,7 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, if((certificate == NULL) || (strlen(certificate) < 6) - || !(strncmp(certificate, "www.", 4))) + || (strncmp(certificate, "www.", 4))) return(0); // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); @@ -39,10 +39,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, len = strlen(name); - if(len > 6) { + if(len >= 5) { for(i = 0; name[i+1] != '\0'; i++) { + // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); + if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { numbers_found++; diff --git a/tests/pcap/tor.pcap b/tests/pcap/tor.pcap new file mode 100644 index 000000000..bf5b43649 Binary files /dev/null and b/tests/pcap/tor.pcap differ diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out new file mode 100644 index 000000000..b6008355d --- /dev/null +++ b/tests/result/tor.pcap.out @@ -0,0 +1,17 @@ +NetBIOS 1 252 1 +DHCPV6 6 906 1 +DropBox 10 1860 1 +Skype 1 60 1 +Tor 3676 3014362 7 + + 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][10 pkts/1860 bytes] + 2 UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes] + 3 TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes][SSL client: www.t3i3ru.com] + 4 TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes][SSL client: www.e6r5p57kbafwrxj3plz.com] + 5 TCP 91.143.93.242:443 <-> 192.168.1.252:51175 [proto: 163/Tor][38 pkts/12520 bytes][SSL client: www.gfu7hbxpfp.com] + 6 TCP 157.56.30.46:443 <-> 192.168.1.252:51104 [proto: 91.125/SSL.Skype][1 pkts/60 bytes] + 7 UDP 192.168.1.252:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes] + 8 TCP 38.229.70.53:443 <-> 192.168.1.252:51112 [proto: 163/Tor][1576 pkts/1388792 bytes][SSL client: www.q4cyamnc6mtokjurvdclt.com] + 9 TCP 38.229.70.53:443 <-> 192.168.1.252:51176 [proto: 163/Tor][1826 pkts/1513278 bytes][SSL client: www.jmts2id.com] + 10 TCP 62.210.137.230:443 <-> 192.168.1.252:51185 [proto: 163/Tor][29 pkts/9661 bytes][SSL client: www.6gyip7tqim7sieb.com] + 11 TCP 91.143.93.242:443 <-> 192.168.1.252:51110 [proto: 163/Tor][141 pkts/68538 bytes][SSL client: www.ct7ctrgb6cr7.com] -- cgit v1.2.3 From b318d191a51af7638b1e64924a214e91fa9aa09e Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Thu, 23 Jun 2016 23:53:03 +0200 Subject: Removed variables not used --- src/lib/ndpi_main.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cbac5cf8b..7a6a34fb3 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3285,8 +3285,6 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru flow->packet.iphv6 || #endif flow->packet.iph)) { - u_int32_t saddr, daddr; - flow->protocol_id_already_guessed = 1; flow->guessed_protocol_id = (int16_t)ndpi_guess_protocol_id(ndpi_struct, l4_proto, sport, dport); @@ -4478,7 +4476,6 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str u_int8_t is_host_match) { int matching_protocol_id = ndpi_match_string_subprotocol(ndpi_struct, string_to_match, string_to_match_len, is_host_match); struct ndpi_packet_struct *packet = &flow->packet; - AC_TEXT_t ac_input_text; #ifdef DEBUG { -- cgit v1.2.3 From 0f089bd49a8bfa1e57e862cef1352c6514f4719f Mon Sep 17 00:00:00 2001 From: Campus Date: Fri, 24 Jun 2016 13:19:14 +0200 Subject: added git protocol dissector and pcap for test --- src/include/ndpi_protocol_ids.h | 3 +- src/include/ndpi_protocols.h | 2 + src/lib/Makefile.am | 1 + src/lib/ndpi_main.c | 19 +++++-- src/lib/protocols/git.c | 118 ++++++++++++++++++++++++++++++++++++++++ tests/pcap/git.pcap | Bin 0 -> 77264 bytes tests/result/git.pcap.out | 3 + 7 files changed, 139 insertions(+), 7 deletions(-) create mode 100644 src/lib/protocols/git.c create mode 100644 tests/pcap/git.pcap create mode 100644 tests/result/git.pcap.out (limited to 'src/lib/ndpi_main.c') diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 4e06da989..adc56fc11 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -273,8 +273,9 @@ #define NDPI_PROTOCOL_RX 223 #define NDPI_SERVICE_WEIBO 224 #define NDPI_SERVICE_OPENDNS 225 +#define NDPI_PROTOCOL_GIT 226 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_OPENDNS +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_GIT #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 9298bf22a..04121347f 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -194,6 +194,7 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -334,4 +335,5 @@ void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index d83fdd5c0..bd336fd99 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -155,6 +155,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/coap.c \ protocols/mqtt.c \ protocols/rx.c \ + protocols/git.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/node.h \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cbac5cf8b..58374849e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1531,22 +1531,26 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "COAP", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 5683, 5684, 0, 0, 0)); /* UDP */ - ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_MQTT, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MQTT, no_master, no_master, "MQTT", ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0); + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* Port guess is disabled as this is UDP and we can figure our immediately looking at the RX header, is this is RX or not See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 */ - ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_RX, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, no_master, no_master, "RX", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ports_b); /* UDP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GIT, + no_master, + no_master, "Git", + ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2325,7 +2329,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* SSDP */ init_ssdp_dissector(ndpi_struct, &a, detection_bitmask); -/* WORLD_OF_WARCRAFT */ + /* WORLD_OF_WARCRAFT */ init_world_of_warcraft_dissector(ndpi_struct, &a, detection_bitmask); /* POSTGRES */ @@ -2559,6 +2563,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* RX */ init_rx_dissector(ndpi_struct, &a, detection_bitmask); + /* GIT */ + init_git_dissector(ndpi_struct, &a, detection_bitmask); + /* Put false-positive sensitive protocols at the end */ /* SKYPE */ diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c new file mode 100644 index 000000000..63479b26a --- /dev/null +++ b/src/lib/protocols/git.c @@ -0,0 +1,118 @@ +/* + * git.c + * + * Copyright (C) 2012-16 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see . + * + */ +#include +#include "ndpi_api.h" + +#ifdef NDPI_PROTOCOL_GIT + +#define GIT_PORT 9418 + +/* read all the length even if there is a null byte inside */ +u_int16_t read_all_len(char * s, u_int16_t git_len) +{ + char * p = s; + int c = 0; + while(*p && c < git_len-4) { + c++; + p++; + if(!*p) { + if(c < git_len-4) { + p++; + c++; + } + } + } + return c; +} + +void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * packet = &flow->packet; + const u_int8_t * pp = packet->payload; + u_int16_t payload_len = packet->payload_packet_len; + + u_int8_t * git_pkt_len_buff = NULL; + u_int8_t * git_pkt_data = NULL; + u_int16_t git_len = 0, count = 0 , is_git = 0; + + if(packet->tcp != NULL) { + + if((ntohs(packet->tcp->source) == GIT_PORT || + ntohs(packet->tcp->dest) == GIT_PORT)) { + + git_pkt_len_buff = malloc(4 * sizeof(u_int8_t)); + + do { + memcpy(git_pkt_len_buff, pp, 4); + git_len = (int)strtol(git_pkt_len_buff, NULL, 16); + + if(git_pkt_len_buff[0] == 48 && + git_pkt_len_buff[1] == 48 && + git_pkt_len_buff[2] == 48 && + git_pkt_len_buff[3] == 48) + /* Terminator packet */ + count += 4; + else { + git_pkt_data = malloc((git_len-4) * sizeof(u_int8_t)); + memcpy(git_pkt_data, pp+4, git_len-4); + u_int16_t data_len = read_all_len(git_pkt_data, git_len); + free(git_pkt_data); + + if(git_len != data_len+4) + goto no_git; + else { + count += git_len; + pp += git_len; + } + } + } while(count < payload_len); + } + else goto no_git; + } + else goto no_git; + + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "found Git.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN); + return; + + no_git: + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "exclude Git.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GIT); +} + + +/* ***************************************************************** */ + + +void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("Git", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_GIT, + ndpi_search_git, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif /* NDPI_PROTOCOL_GIT */ diff --git a/tests/pcap/git.pcap b/tests/pcap/git.pcap new file mode 100644 index 000000000..b32a255ef Binary files /dev/null and b/tests/pcap/git.pcap differ diff --git a/tests/result/git.pcap.out b/tests/result/git.pcap.out new file mode 100644 index 000000000..665dad5a8 --- /dev/null +++ b/tests/result/git.pcap.out @@ -0,0 +1,3 @@ +Git 90 74005 1 + + 1 TCP 5.153.231.21:9418 <-> 192.168.0.77:47991 [proto: 226/Git][90 pkts/74005 bytes] -- cgit v1.2.3 From 0e49eb1d17c33b784359f8dbdbb59041cac7aaab Mon Sep 17 00:00:00 2001 From: Campus Date: Sat, 2 Jul 2016 18:29:02 +0200 Subject: added drda protocol - fix quic output after commit 87717dd77f3c16d6b1a997a257ed442435ee93ec --- src/include/ndpi_protocol_ids.h | 3 +- src/include/ndpi_protocols.h | 2 + src/lib/Makefile.am | 9 ++-- src/lib/ndpi_main.c | 83 +++++++++++++------------------ src/lib/protocols/drda.c | 106 ++++++++++++++++++++++++++++++++++++++++ tests/pcap/drda_db2.pcap | Bin 0 -> 7323 bytes tests/result/drda_db2.pcap.out | 3 ++ tests/result/quic.pcap.out | 21 ++++---- 8 files changed, 164 insertions(+), 63 deletions(-) create mode 100644 src/lib/protocols/drda.c create mode 100755 tests/pcap/drda_db2.pcap create mode 100644 tests/result/drda_db2.pcap.out (limited to 'src/lib/ndpi_main.c') diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index adc56fc11..58253e9ce 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -274,8 +274,9 @@ #define NDPI_SERVICE_WEIBO 224 #define NDPI_SERVICE_OPENDNS 225 #define NDPI_PROTOCOL_GIT 226 +#define NDPI_PROTOCOL_DRDA 227 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_GIT +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_DRDA #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 04121347f..82d5bdb69 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -195,6 +195,7 @@ void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct n void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -336,4 +337,5 @@ void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index bd336fd99..18c195dbe 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -26,6 +26,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/bittorrent.c \ protocols/ciscovpn.c \ protocols/citrix.c \ + protocols/coap.c \ protocols/collectd.c \ protocols/corba.c \ protocols/crossfire.c \ @@ -36,6 +37,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/directdownloadlink.c \ protocols/dns.c \ protocols/dofus.c \ + protocols/drda.c \ protocols/dropbox.c \ protocols/eaq.c \ protocols/edonkey.c \ @@ -45,6 +47,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/florensia.c \ protocols/ftp_control.c \ protocols/ftp_data.c \ + protocols/git.c \ protocols/gnutella.c \ protocols/gtp.c \ protocols/guildwars.c \ @@ -74,6 +77,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/mgcp.c \ protocols/mms.c \ protocols/mpegts.c \ + protocols/mqtt.c \ protocols/msn.c \ protocols/mssql.c \ protocols/mysql.c \ @@ -104,6 +108,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/rtmp.c \ protocols/rtp.c \ protocols/rtsp.c \ + protocols/rx.c \ protocols/sflow.c \ protocols/shoutcast.c \ protocols/sip.c \ @@ -152,10 +157,6 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/yahoo.c \ protocols/zattoo.c \ protocols/zeromq.c \ - protocols/coap.c \ - protocols/mqtt.c \ - protocols/rx.c \ - protocols/git.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/node.h \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 84232a313..f97a2fffc 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1459,43 +1459,43 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHOIS_DAS, no_master, no_master, "Whois-DAS", - ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD, no_master, no_master, "Collectd", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOCKS, no_master, no_master, "SOCKS", - ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TFTP, no_master, no_master, "TFTP", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTMP, no_master, no_master, "RTMP", - ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PANDO, no_master, no_master, "Pando_Media_Booster", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MEGACO, no_master, no_master, "Megaco", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 2944 , 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 2944 , 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_REDIS, no_master, no_master, "Redis", - ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0 , 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0 , 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZMQ, no_master, no_master, "ZeroMQ", @@ -1514,13 +1514,13 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, no_master, no_master, "UBNTAC2", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MS_LYNC, no_master, no_master, "Lync", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VIBER, no_master, no_master, "Viber", @@ -1536,21 +1536,22 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "MQTT", ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - /* Port guess is disabled as this is UDP and we can figure our immediately looking - at the RX header, is this is RX or not - - See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 - */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, no_master, no_master, "RX", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GIT, no_master, no_master, "Git", - ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DRDA, + no_master, + no_master, "DRDA", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2566,7 +2567,10 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* GIT */ init_git_dissector(ndpi_struct, &a, detection_bitmask); - /* Put false-positive sensitive protocols at the end */ + /* DRDA */ + init_drda_dissector(ndpi_struct, &a, detection_bitmask); + + /*** Put false-positive sensitive protocols at the end ***/ /* SKYPE */ init_skype_dissector(ndpi_struct, &a, detection_bitmask); @@ -4578,25 +4582,6 @@ char* ndpi_revision() { return(NDPI_GIT_RELEASE); } #ifdef WIN32 -/* - int pthread_mutex_init(pthread_mutex_t *mutex, void *unused) { - unused = NULL; - *mutex = CreateMutex(NULL, FALSE, NULL); - return *mutex == NULL ? -1 : 0; - } - - int pthread_mutex_destroy(pthread_mutex_t *mutex) { - return CloseHandle(*mutex) == 0 ? -1 : 0; - } - - int pthread_mutex_lock(pthread_mutex_t *mutex) { - return WaitForSingleObject(*mutex, INFINITE) == WAIT_OBJECT_0 ? 0 : -1; - } - - int pthread_mutex_unlock(pthread_mutex_t *mutex) { - return ReleaseMutex(*mutex) == 0 ? -1 : 0; - } -*/ /* http://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/port/gettimeofday.c;h=75a91993b74414c0a1c13a2a09ce739cb8aa8a08;hb=HEAD */ int gettimeofday(struct timeval * tp, struct timezone * tzp) { /* FILETIME of Jan 1 1970 00:00:00. */ diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c new file mode 100644 index 000000000..9240e8364 --- /dev/null +++ b/src/lib/protocols/drda.c @@ -0,0 +1,106 @@ +/* + * drda.c + * + * Copyright (C) 2012-16 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see . + * + */ +#include "ndpi_api.h" + +#ifdef NDPI_PROTOCOL_DRDA + +#define DRDA_PORT 50000 + +struct ndpi_drda_hdr { + u_int16_t length; + u_int8_t magic; + u_int8_t format; + u_int16_t correlID; + u_int16_t length2; + u_int16_t code_pnt; +}; + + +void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * packet = &flow->packet; + u_int16_t payload_len = packet->payload_packet_len; + u_int16_t count = 0; + + if(packet->tcp != NULL) { + + /* check port */ + if((ntohs(packet->tcp->source) == DRDA_PORT || + ntohs(packet->tcp->dest) == DRDA_PORT)) { + + struct ndpi_drda_hdr * drda = (struct ndpi_drda_hdr *) packet->payload; + + u_int16_t len = ntohs(drda->length); + + /* check first header */ + if(len - 6 != ntohs(drda->length2) && + drda->magic != 0xd0) + goto no_drda; + + /* check if there are more drda headers */ + if(payload_len > len) { + + count = len; + const u_int8_t * pp = packet->payload + len; + + while(count < payload_len) + { + /* update info */ + drda = (struct ndpi_drda_hdr *) pp; + len = ntohs(drda->length); + + if(len - 6 != ntohs(drda->length2) && + drda->magic != 0xd0) + goto no_drda; + + count += len; + } + if(count != payload_len) goto no_drda; + } + NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "found DRDA.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DRDA, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + + no_drda: + NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "exclude DRDA.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DRDA); +} + + +/* ***************************************************************** */ + + +void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("DRDA", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_DRDA, + ndpi_search_drda, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif /* NDPI_PROTOCOL_DRDA */ diff --git a/tests/pcap/drda_db2.pcap b/tests/pcap/drda_db2.pcap new file mode 100755 index 000000000..e91629e04 Binary files /dev/null and b/tests/pcap/drda_db2.pcap differ diff --git a/tests/result/drda_db2.pcap.out b/tests/result/drda_db2.pcap.out new file mode 100644 index 000000000..ee222fcd6 --- /dev/null +++ b/tests/result/drda_db2.pcap.out @@ -0,0 +1,3 @@ +DRDA 38 6691 1 + + 1 TCP 192.168.106.1:4847 <-> 192.168.106.128:50000 [proto: 227/DRDA][38 pkts/6691 bytes] diff --git a/tests/result/quic.pcap.out b/tests/result/quic.pcap.out index 9c56d2d75..144137339 100644 --- a/tests/result/quic.pcap.out +++ b/tests/result/quic.pcap.out @@ -1,15 +1,18 @@ Unknown 6 7072 1 -QUIC 512 341494 9 +GMail 413 254874 1 +YouTube 83 73409 4 +Google 13 12847 3 +QUIC 3 364 1 - 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188/QUIC][3 pkts/2863 bytes][Host: i.ytimg.com] - 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188/QUIC][2 pkts/2784 bytes][Host: yt3.ggpht.com] - 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188/QUIC][413 pkts/254874 bytes][Host: mail.google.com] + 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][3 pkts/2863 bytes][Host: i.ytimg.com] + 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.126/QUIC.Google][2 pkts/2784 bytes][Host: yt3.ggpht.com] + 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188.122/QUIC.GMail][413 pkts/254874 bytes][Host: mail.google.com] 4 UDP 172.217.16.3:443 <-> 192.168.1.105:40461 [proto: 188/QUIC][3 pkts/364 bytes] - 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188/QUIC][5 pkts/4334 bytes][Host: www.google.com] - 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188/QUIC][7 pkts/6545 bytes][Host: www.youtube.com] - 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188/QUIC][69 pkts/58433 bytes][Host: www.youtube.com] - 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188/QUIC][6 pkts/5729 bytes][Host: fonts.gstatic.com] - 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188/QUIC][4 pkts/5568 bytes][Host: s.ytimg.com] + 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188.126/QUIC.Google][5 pkts/4334 bytes][Host: www.google.com] + 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188.124/QUIC.YouTube][7 pkts/6545 bytes][Host: www.youtube.com] + 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188.124/QUIC.YouTube][69 pkts/58433 bytes][Host: www.youtube.com] + 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188.126/QUIC.Google][6 pkts/5729 bytes][Host: fonts.gstatic.com] + 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188.124/QUIC.YouTube][4 pkts/5568 bytes][Host: s.ytimg.com] Undetected flows: -- cgit v1.2.3