From b833b1f16fca513a36e22720553ccd9679773911 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Tue, 13 Jul 2021 13:47:17 +0200
Subject: Improved dnscrypt midstream detection.

 * fixed skype false-positive detection of dnscrypt traffic

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 tests/pcap/dnscrypt_skype_false_positive.pcapng       | Bin 0 -> 2720 bytes
 tests/result/dnscrypt_skype_false_positive.pcapng.out |   7 +++++++
 2 files changed, 7 insertions(+)
 create mode 100644 tests/pcap/dnscrypt_skype_false_positive.pcapng
 create mode 100644 tests/result/dnscrypt_skype_false_positive.pcapng.out

(limited to 'tests')

diff --git a/tests/pcap/dnscrypt_skype_false_positive.pcapng b/tests/pcap/dnscrypt_skype_false_positive.pcapng
new file mode 100644
index 000000000..36b614a73
Binary files /dev/null and b/tests/pcap/dnscrypt_skype_false_positive.pcapng differ
diff --git a/tests/result/dnscrypt_skype_false_positive.pcapng.out b/tests/result/dnscrypt_skype_false_positive.pcapng.out
new file mode 100644
index 000000000..044da2e9e
--- /dev/null
+++ b/tests/result/dnscrypt_skype_false_positive.pcapng.out
@@ -0,0 +1,7 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	4	(4.00 pkts/flow)
+
+DNScrypt	6	2380	1
+
+	1	UDP 192.168.2.100:46858 <-> 212.47.228.136:443 [proto: 208/DNScrypt][cat: Network/14][3 pkts/1662 bytes <-> 3 pkts/718 bytes][Goodput ratio: 92/82][5137.13 sec][bytes ratio: 0.397 (Upload)][IAT c2s/s2c min/avg/max/stddev: 300005/300005 2568548/2568547 4837091/4837089 2268543/2268542][Pkt Len c2s/s2c min/avg/max/stddev: 554/154 554/239 554/282 0/60][PLAIN TEXT (OYy Tp)][Plen Bins: 0,0,0,16,0,0,0,33,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3