diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 6a5f329141a..a5ffffffc71 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -32,6 +32,7 @@ #include #include #include /* FLT_EPSILON */ + #ifdef WIN32 #include /* winsock.h is included automatically */ #include @@ -2000,6 +2001,48 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } } + if(flow->mdns_metadata.num_services > 0) { + fprintf(out, "[MDNS advertised services (found %d) - ", flow->mdns_metadata.num_services); + + for(int i = 0; i < flow->mdns_metadata.num_services - 1; i++) { + struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[i]; + + fprintf(out, "rsp_class: %d ", service->rsp_class); + fprintf(out, "ttl: %ds ", service->ttl); + fprintf(out, "rdatalength: %d ", service->data_len); + + fprintf(out, "rsp_type: "); + switch (service -> rsp_type) { + case 0x0C: /* PTR */ + fprintf(out, "PTR data: %s advertised %s; ", service->name, service->data); break; + case 0x10: /* TXT */ + fprintf(out, "TXT data: %s additional info %s; ", service->name, service->data); break; + case 0x21: /* SRV */ + fprintf(out, "SRV data: %s is on port %d; ", service->name, service->srv_port); break; + case 0x05: /* CNAME */ + break; + } + } + /* last line without spacing at the end */ + struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[flow->mdns_metadata.num_services - 1]; + + fprintf(out, "rsp_class: %d ", service->rsp_class); + fprintf(out, "ttl: %ds ", service->ttl); + fprintf(out, "rdatalength: %d ", service->data_len); + + fprintf(out, "rsp_type: "); + switch (service -> rsp_type) { + case 0x0C: /* PTR */ + fprintf(out, "PTR data: %s advertised %s]", service->name, service->data); break; + case 0x10: /* TXT */ + fprintf(out, "TXT data: %s additional info %s]", service->name, service->data); break; + case 0x21: /* SRV */ + fprintf(out, "SRV data: %s is on port %d]", service->name, service->srv_port); break; + case 0x05: /* CNAME */ + break; + } + } + fprintf(out, "[%s]", ndpi_is_encrypted_proto(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol) ? "Encrypted" : "ClearText"); diff --git a/example/reader_util.c b/example/reader_util.c index bf01d704539..f733553038b 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -616,6 +616,14 @@ void ndpi_flow_info_free_data(struct ndpi_flow_info *flow) { if(flow->tcp_fingerprint) ndpi_free(flow->tcp_fingerprint); if(flow->risk_str) ndpi_free(flow->risk_str); if(flow->flow_payload) ndpi_free(flow->flow_payload); + + if (flow->mdns_metadata.services) { + for(int i = 0; i < flow->mdns_metadata.num_services; i++) { + if (flow->mdns_metadata.services[i].name) ndpi_free(flow->mdns_metadata.services[i].name); + if (flow->mdns_metadata.services[i].data) ndpi_free(flow->mdns_metadata.services[i].data); + } + ndpi_free(flow->mdns_metadata.services); + } } /* ***************************************************** */ @@ -1628,6 +1636,28 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl ndpi_snprintf(flow->fast_cgi.url, sizeof(flow->fast_cgi.url), "%s", flow->ndpi_flow->protos.fast_cgi.url); } + flow->mdns_metadata.num_services = flow->ndpi_flow->mdns_metadata.num_services; + + if(flow->mdns_metadata.num_services > 0) { + flow->mdns_metadata.services = ndpi_malloc( + sizeof(struct ndpi_mdns_rsp_entry) * flow->mdns_metadata.num_services); + + if (flow->mdns_metadata.services) { + for(int idx = 0; idx < flow->mdns_metadata.num_services; ++idx) { + struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[idx]; + struct ndpi_mdns_rsp_entry *reference = &flow->ndpi_flow->mdns_metadata.services[idx]; + + service->rsp_type = reference->rsp_type; + service->rsp_class = reference->rsp_class; + service->ttl = reference->ttl; + service->data_len = reference->data_len; + service->name = ndpi_strdup(reference->name); + service->data = ndpi_strdup(reference->data); + service->srv_port = reference->srv_port; + } + } + } + if(!monitoring_enabled) { add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address); add_to_address_port_list(&flow->stun.peer_address, &flow->ndpi_flow->stun.peer_address); diff --git a/example/reader_util.h b/example/reader_util.h index 11283b4c1fb..3ea3af98354 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -285,6 +285,11 @@ typedef struct ndpi_flow_info { } bfcp; }; + struct { + uint8_t num_services; + struct ndpi_mdns_rsp_entry *services; + } mdns_metadata; + ndpi_serializer ndpi_flow_serializer; char host_server_name[80]; /* Hostname/SNI */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index e70ab09f8ee..cd9a26aec89 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -397,12 +397,15 @@ struct ndpi_dhcphdr { } PACK_OFF; /* +++++++++++++++ MDNS rsp header +++++++++++++++ */ -PACK_ON + struct ndpi_mdns_rsp_entry { u_int16_t rsp_type, rsp_class; u_int32_t ttl; u_int16_t data_len; -} PACK_OFF; + char *name; // hostname + char *data; // metadata + u_int16_t srv_port; +}; /* +++++++++++++++++++ LLC header (IEEE 802.2) ++++++++++++++++ */ @@ -1319,6 +1322,7 @@ typedef enum { #define MAX_NUM_TLS_SIGNATURE_ALGORITHMS 16 #define MAX_NUM_DNS_RSP_ADDRESSES 4 +#define MAX_NUM_MDNS_ADVERTISED_SERVICES 8 typedef struct { union { @@ -1700,6 +1704,11 @@ struct ndpi_flow_struct { } protos; + struct { + uint8_t num_services; + struct ndpi_mdns_rsp_entry *services; + } mdns_metadata; + /* **Packet** metadata for flows where monitoring is enabled. It is reset after each packet! */ struct ndpi_metadata_monitoring *monit; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 563cb3bf9f0..eab9dff1d82 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7830,6 +7830,14 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow->tls_quic.obfuscated_heur_state) ndpi_free(flow->tls_quic.obfuscated_heur_state); + + if (flow->mdns_metadata.services) { + for(int i = 0; i < flow->mdns_metadata.num_services; i++) { + if (flow->mdns_metadata.services[i].name) ndpi_free(flow->mdns_metadata.services[i].name); + if (flow->mdns_metadata.services[i].data) ndpi_free(flow->mdns_metadata.services[i].data); + } + ndpi_free(flow->mdns_metadata.services); + } } } diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index fa498da45d4..a7c30e6557b 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -20,6 +20,7 @@ * along with nDPI. If not, see . * */ +#include "ndpi_define.h" #include "ndpi_protocol_ids.h" @@ -236,11 +237,12 @@ static u_int64_t fpc_dns_cache_key_from_packet(const unsigned char *ip, int ip_l /* *********************************************** */ -static u_int8_t ndpi_grab_dns_name(struct ndpi_packet_struct *packet, +static u_int8_t ndpi_grab_dns_name_internal(struct ndpi_packet_struct *packet, u_int *off /* payload offset */, char *_hostname, u_int max_len, u_int *_hostname_len, - u_int8_t ignore_checks) { + u_int8_t ignore_checks, + ndpi_bitmap *bitmap) { u_int8_t hostname_is_valid = 1; u_int j = 0; @@ -251,8 +253,40 @@ static u_int8_t ndpi_grab_dns_name(struct ndpi_packet_struct *packet, && (packet->payload[(*off)] != '\0')) { u_int8_t c, cl = packet->payload[*off]; - if(((cl & 0xc0) != 0) || // we not support compressed names in query - (((*off)+1) + cl >= packet->payload_packet_len)) { + if((cl & 0xc0) == 0xc0) { /* start of a compressed name */ + if(*off + 1 >= packet->payload_packet_len) { + hostname_is_valid = 0; + j = 0; + break; + } + + (*off)++; + u_int8_t byte2 = packet->payload[(*off)++]; + /* works for little and big endian. We don't need to check for (*off) < packet->payload_packet_len + * since it's checked in the recursive call */ + u_int32_t ptr = ((cl & 0x3F) << 8 | byte2) + (packet->tcp ? 2 : 0); + + if (ndpi_bitmap_isset(bitmap, ptr)) { + // TODO: malformed packet since there is an infinite loop compressed name, maybe set_risk here + return 0; + } + + ndpi_bitmap_set(bitmap, ptr); + + if (j && j < max_len) { + _hostname[j++] = '.'; + } + + u_int nested_len = 0; + hostname_is_valid = ndpi_grab_dns_name_internal(packet, &ptr, &_hostname[j], max_len - j, + &nested_len, ignore_checks, bitmap) && hostname_is_valid; + + j += nested_len; + /* compressed names are always terminal */ + break; + } + + if(((*off)+1) + cl >= packet->payload_packet_len) { /* Don't update the offset */ j = 0; break; @@ -296,8 +330,77 @@ static u_int8_t ndpi_grab_dns_name(struct ndpi_packet_struct *packet, return(hostname_is_valid); } +static u_int8_t ndpi_grab_dns_name(struct ndpi_packet_struct *packet, + u_int *off /* payload offset */, + char *_hostname, u_int max_len, + u_int *_hostname_len, + u_int8_t ignore_checks) { + ndpi_bitmap *visited_indexes; + if ((visited_indexes = ndpi_bitmap_alloc()) != NULL) { + const int hostname_is_valid = ndpi_grab_dns_name_internal(packet, off, _hostname, max_len, + _hostname_len, ignore_checks, visited_indexes); + ndpi_bitmap_free(visited_indexes); + return hostname_is_valid; + } + *_hostname_len = 0; +#ifndef DNS_DEBUG + printf("[DNS] Out of memory\n"); +#endif + return 0; +} + /* *********************************************** */ +static int add_to_mdns_metadata(struct ndpi_flow_struct *flow, + u_int16_t rsp_type, u_int16_t rsp_class, u_int32_t ttl, + u_int16_t data_len, u_int16_t srv_port, char *data, + u_int16_t name_len, const char *name) { + if(flow->mdns_metadata.services == NULL) { + if((flow->mdns_metadata.services = ndpi_calloc( + MAX_NUM_MDNS_ADVERTISED_SERVICES, sizeof(struct ndpi_mdns_rsp_entry))) == NULL) { + return -1; + } + } + + /* check for duplicates: we ignore them and free data */ + for(int i = 0; i < flow->mdns_metadata.num_services; i++) { + struct ndpi_mdns_rsp_entry *svc = &flow->mdns_metadata.services[i]; + size_t dl; /* data len */ + + if(svc->rsp_type == rsp_type && + svc->rsp_class == rsp_class && + svc->ttl == ttl && + svc->data_len == data_len && + svc->srv_port == srv_port && + strlen(svc->name) == name_len && + strlen(svc->data) == (dl = strlen(data)) && + memcmp(svc->name, name, name_len) == 0 && + memcmp(svc->data, data, dl) == 0) { + if(data) ndpi_free(data); + return 0; + } + } + + struct ndpi_mdns_rsp_entry *service = &flow->mdns_metadata.services[flow->mdns_metadata.num_services]; + service->rsp_class = rsp_class; + service->rsp_type = rsp_type; + service->ttl = ttl; + service->data_len = data_len; /* already host */ + + if((service->name = ndpi_malloc(name_len + 1)) == NULL) { + return -1; + } + memcpy(service->name, name, name_len); + service->name[name_len] = 0; + + service->data = data; /* already host */ + + service->srv_port = srv_port; /* already checked if is zero */ + + ++flow->mdns_metadata.num_services; + return 0; +} + static int process_queries(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, struct ndpi_dns_packet_header *dns_header, @@ -358,12 +461,23 @@ static int process_answers(struct ndpi_detection_module_struct *ndpi_struct, for(num = 0; num < dns_header->num_answers; num++) { u_int16_t data_len; + u_int y = x; /* we need a copy of x when x points to name */ if((data_len = getNameLength(x, packet->payload, packet->payload_packet_len)) == 0) { return -1; - } else - x += data_len; + } + x += data_len; + + u_int name_len; + + char name[255]; /* DNS names are max 254 bytes long +1 null-byte */ + if(ndpi_grab_dns_name(packet, &y, name, sizeof(name), + &name_len, ignore_checks) == 0) { + // todo: invalid name, maybe set a risk here + } + + char *data = NULL; if((x+8) >= packet->payload_packet_len) { return -1; @@ -387,6 +501,19 @@ static int process_answers(struct ndpi_detection_module_struct *ndpi_struct, /* x points to the response "class" field */ if((x+12) <= packet->payload_packet_len) { + u_int16_t srv_port = 0; + u_int16_t raw_rsp_class = ntohs(*(u_int16_t *) &packet->payload[x]);; + u_int16_t rsp_class; + + if(proto->master_protocol == NDPI_PROTOCOL_MDNS) { +#ifdef DNS_DEBUG /* avoid warning "unused variable ‘cache_flush’ [-Wunused-variable]" */ + u_int8_t cache_flush = (raw_rsp_class & 0x8000) != 0; +#endif + rsp_class = raw_rsp_class & 0x7FFF; + } else { + rsp_class = raw_rsp_class; + } + u_int32_t ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); x += 6; @@ -403,7 +530,7 @@ static int process_answers(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t ptr_len = (packet->payload[x-2] << 8) + packet->payload[x-1]; if((x + ptr_len) <= packet->payload_packet_len) { - if(found == 0) { + if(found == 0 || proto->master_protocol == NDPI_PROTOCOL_MDNS) { u_int len, orig_x; orig_x = x; @@ -415,6 +542,16 @@ static int process_answers(struct ndpi_detection_module_struct *ndpi_struct, We unconditionally update it at the end of the for loop */ x = orig_x; found = 1; + if(proto->master_protocol == NDPI_PROTOCOL_MDNS && len > 0) { + if((data = ndpi_malloc(len + 1)) != NULL) { + memcpy(data, flow->protos.dns.ptr_domain_name, len); + data[len] = '\0'; + } else { +#ifdef DNS_DEBUG + printf("[DNS] Out of memory\n"); +#endif + } + } } } } else if((((rsp_type == 0x1) && (data_len == 4)) /* A */ @@ -462,18 +599,126 @@ static int process_answers(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "Adding entry to fpc_dns: %s proto %d\n", data_len == 4 ? "ipv4" : "ipv6", proto->app_protocol); } + } else if(rsp_type == 0x10 /* TXT */) { + if(proto->master_protocol == NDPI_PROTOCOL_MDNS) { + char sep[] = ", "; + size_t sep_len = sizeof(sep) - 1; + + /* We alloc more space than needed since we need space for separators. + * Also notice TXT fields don't use name compression, so we base our size + * on data_len. */ + if((data = ndpi_malloc(data_len + (sep_len * data_len) + 1)) != NULL) { + u_int x_orig = x; + data[0] = 0; /* it surely exists due to its size being minimum 1 (if data_len = 0) */ + int is_invalid = 1; + + size_t bytes_read = 0; + size_t data_offset = 0; + + while(bytes_read < data_len) { + u_int8_t txt_subfield_len = packet->payload[x_orig++]; + bytes_read++; + + is_invalid = txt_subfield_len + bytes_read > data_len || + txt_subfield_len > packet->payload_packet_len - x_orig; + if(is_invalid) { + /* todo: this is a malformed DNS packet, maybe set_risk here */ + break; + } + if(txt_subfield_len == 0) { + /* todo: maybe "txt subfield with zero len" can be a minor issue risk */ + continue; /* nothing to do for an empty string */ + } + + memcpy(data + data_offset, &packet->payload[x_orig], txt_subfield_len); + data_offset += txt_subfield_len; + memcpy(data + data_offset, sep, sep_len); + data_offset += sep_len; + + x_orig += txt_subfield_len; + bytes_read += txt_subfield_len; + } + if(is_invalid) { + ndpi_free(data); + data = NULL; + } else { + if(data_offset >= sep_len) { /* if the while cycle didn't do any iteration, data_offset is 0 */ + data[data_offset - sep_len] = 0; /* - sep_len removes the last separator */ + } else { + data[data_offset] = 0; + } + } + } else { +#ifdef DNS_DEBUG + printf("[DNS] Out of memory\n"); +#endif + } + } + } else if(rsp_type == 0x21 /* SRV */) { + if(proto->master_protocol == NDPI_PROTOCOL_MDNS) { + u_int x_orig = x; + x_orig += 4; /* skip priority and weight */ + srv_port = ntohs(*(u_int16_t*)&packet->payload[x_orig]); + x_orig += 2; /* skip port */ + + if(srv_port != 0) { + /* Target might use compression, and we can't determine its length a priori, + * so unfortunately we need to first find it and then copy it */ + char target[255]; + u_int target_len = 0; + + if(ndpi_grab_dns_name(packet, &x_orig, target, sizeof(target), + &target_len, ignore_checks)) { + if(target_len > 0) { + if((data = ndpi_malloc(target_len + 1)) != NULL) { + memcpy(data, target, target_len); + data[target_len] = 0; + } else { +#ifdef DNS_DEBUG + printf("[DNS] Out of memory\n"); +#endif + } + } + } else { + /* todo: maybe set_risk here, malformed name */ + } + } else { + /* todo: this is malformed since ports can't be zero, maybe set_risk here */ + } + } } x += data_len; } + + if (data != NULL) { + if(proto->master_protocol == NDPI_PROTOCOL_MDNS) { + if(name_len <= 0 || + flow->mdns_metadata.num_services >= MAX_NUM_MDNS_ADVERTISED_SERVICES) { + /* info was useless or we reached the limit */ + ndpi_free(data); + } else if(add_to_mdns_metadata(flow, rsp_type, rsp_class, rsp_ttl, + data_len,srv_port, data, name_len, name) < 0) { +#ifdef DNS_DEBUG + printf("[DNS] Out of memory\n"); +#endif + /* if calloc/malloc fails inside add_to_mdns_metadata(), num_services won't be incremented. + * So we need to free data now, otherwise it will never be. */ + ndpi_free(data); + } + } + } } - if(found && (dns_header->additional_rrs == 0)) { + if((found && (dns_header->additional_rrs == 0)) && + proto->master_protocol != NDPI_PROTOCOL_MDNS) { /* In case we have RR we need to iterate all the answers and not just consider the first one as we need to properly move 'x' to the right offset + + Also keep searching for mdns services */ break; } @@ -822,10 +1067,29 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct flow->protos.dns.transaction_id = dns_header.tr_id; rc = process_queries(ndpi_struct, flow, &dns_header, off); + if(rc == -1) { #ifdef DNS_DEBUG - if(rc == -1) printf("[DNS] Error queries (query msg)\n"); #endif + } else { + off = rc; + rc = process_answers(ndpi_struct, flow, &dns_header, off, &proto); + if(rc == -1) { +#ifdef DNS_DEBUG + printf("[DNS] Error answers (query msg)\n"); +#endif + } else { + off = rc; + rc = process_additionals(ndpi_struct, flow, &dns_header, off); + if(rc == -1) { +#ifdef DNS_DEBUG + printf("[DNS] Error additionals (query msg)\n"); +#endif + } + // we do not care about this in queries even if it is modified in process_additionals + flow->protos.dns.edns0_udp_payload_size = 0; + } + } } else { flow->protos.dns.is_query = 0; flow->protos.dns.transaction_id = dns_header.tr_id; diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out index f608e002fa5..911d5ea0c46 100644 --- a/tests/cfgs/default/result/anyconnect-vpn.pcap.out +++ b/tests/cfgs/default/result/anyconnect-vpn.pcap.out @@ -70,21 +70,21 @@ JA Host Stats: 10 TCP 10.0.0.227:56955 <-> 10.0.0.151:8060 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][6 pkts/650 bytes <-> 5 pkts/1668 bytes][Goodput ratio: 37/80][4.02 sec][Hostname/SNI: 10.0.0.151][bytes ratio: -0.439 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 4/4 9/6 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 108/334 308/1206 89/442][URL: 10.0.0.151:8060/dial/dd.xml][StatusCode: 200][Content-Type: text/xml][Server: Roku UPnP/1.0 MiniUPnPd/1.4][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 60][Risk Info: Found host 10.0.0.151 / Expected on port 80][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /dial/dd.xml HTTP/1.1)][Plen Bins: 0,0,0,0,0,33,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0] 11 TCP 10.0.0.227:56917 <-> 184.25.56.77:80 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: ConnCheck/30][Breed: Safe][6 pkts/976 bytes <-> 4 pkts/1032 bytes][Goodput ratio: 62/74][18.47 sec][Hostname/SNI: detectportal.firefox.com][bytes ratio: -0.028 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 28/573 3694/6151 10081/10078 4344/4052][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 163/258 368/450 145/192][URL: detectportal.firefox.com/success.txt][StatusCode: 200][Content-Type: text/plain][Server: AmazonS3][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 TCP 10.0.0.227:56954 <-> 10.0.0.149:8008 [proto: 7/HTTP][Stack: HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Acceptable][4 pkts/527 bytes <-> 3 pkts/1401 bytes][Goodput ratio: 48/85][0.01 sec][Hostname/SNI: 10.0.0.149][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/3 2/3 6/3 3/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 132/467 317/1261 107/561][URL: 10.0.0.149:8008/ssdp/device-desc.xml][StatusCode: 200][Content-Type: application/xml][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 60][Risk Info: Found host 10.0.0.149 / Expected on port 80][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (HGET /ssdp/device)][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0] - 13 UDP [fe80::408:3e45:3abc:1552]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][9 pkts/1628 bytes -> 0 pkts/0 bytes][Goodput ratio: 66/0][25.40 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 152/0 181/0 206/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 13 UDP [fe80::408:3e45:3abc:1552]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 3600s rdatalength: 20 rsp_type: PTR data: _companion-link._tcp.local advertised lp-rkerur-osx (9)._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][9 pkts/1628 bytes -> 0 pkts/0 bytes][Goodput ratio: 66/0][25.40 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 152/0 181/0 206/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 UDP 10.0.0.227:137 -> 10.0.0.255:137 [proto: 10/NetBIOS][Stack: NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][15 pkts/1542 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][6.05 sec][Hostname/SNI: lp-rkerur-osx][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 465/0 1499/0 677/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 103/0 110/0 9/0][PLAIN TEXT ( EMFACNFCELEFFC)][Plen Bins: 0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 15 TCP 10.0.0.227:56914 <-> 52.37.243.173:443 [proto: 91/TLS][Stack: TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 5][cat: Web/5][Breed: Safe][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][21.75 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/1 3340/2605 9634/9670 4130/3611][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 16 TCP 10.0.0.227:56915 <-> 52.37.243.173:443 [proto: 91/TLS][Stack: TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 5][cat: Web/5][Breed: Safe][8 pkts/847 bytes <-> 7 pkts/651 bytes][Goodput ratio: 38/29][22.76 sec][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 35/0 3340/3011 10636/10673 4210/3967][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 106/93 131/129 31/31][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 17 UDP 10.0.0.213:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][9 pkts/1448 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][25.40 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 132/0 161/0 186/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 17 UDP 10.0.0.213:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 3600s rdatalength: 20 rsp_type: PTR data: _companion-link._tcp.local advertised lp-rkerur-osx (9)._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][9 pkts/1448 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][25.40 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 819/0 3174/0 11263/0 3646/0][Pkt Len c2s/s2c min/avg/max/stddev: 132/0 161/0 186/0 24/0][PLAIN TEXT (companion)][Plen Bins: 0,0,33,22,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 UDP 10.0.0.151:1900 -> 10.0.0.227:57547 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][4 pkts/1412 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][2.86 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 10.0.0.227:56881 <-> 162.222.43.153:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][Breed: Safe][6 pkts/762 bytes <-> 6 pkts/396 bytes][Goodput ratio: 48/0][0.05 sec][bytes ratio: 0.316 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 0/1 0/2 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 82/66 127/66 292/66 75/0][Plen Bins: 50,33,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 20 UDP 10.0.0.227:57547 -> 239.255.255.250:1900 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][4 pkts/864 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][3.00 sec][Hostname/SNI: 239.255.255.250][User-Agent: Google Chrome/77.0.3865.90 Mac OS X][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 21 UDP 10.0.0.149:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][4 pkts/655 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][0.00 sec][Hostname/SNI: _googlezone._tcp.local][_googlezone._tcp.local][PLAIN TEXT (googlezone)][Plen Bins: 0,25,25,0,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 21 UDP 10.0.0.149:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 120s rdatalength: 39 rsp_type: PTR data: _googlezone._tcp.local advertised 79d88e83-725c-b71b-bad0-5862d5b22386._googlezone._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][4 pkts/655 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][0.00 sec][Hostname/SNI: _googlezone._tcp.local][_googlezone._tcp.local][PLAIN TEXT (googlezone)][Plen Bins: 0,25,25,0,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 UDP 10.0.0.149:38616 -> 10.0.0.227:61328 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 23 UDP 10.0.0.149:48166 -> 10.0.0.227:57547 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 24 UDP 10.0.0.149:49816 -> 10.0.0.227:57547 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 25 UDP 10.0.0.149:50081 -> 10.0.0.227:57547 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 26 UDP 10.0.0.149:51382 -> 10.0.0.227:57547 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/556 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (HTTP/1.1 200 OK)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 27 UDP 10.0.0.227:5353 -> 10.0.0.213:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/548 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][12.10 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 27 UDP 10.0.0.227:5353 -> 10.0.0.213:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 4500s rdatalength: 20 rsp_type: PTR data: _companion-link._tcp.local advertised lp-rkerur-osx (9)._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/548 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][12.10 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 28 TCP 10.0.0.227:56879 <-> 52.10.115.210:443 [proto: 91/TLS][Stack: TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 2][cat: Web/5][Breed: Safe][4 pkts/342 bytes <-> 2 pkts/202 bytes][Goodput ratio: 23/34][0.61 sec][bytes ratio: 0.257 (Upload)][IAT c2s/s2c min/avg/max/stddev: 33/574 203/574 541/574 239/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/101 86/101 105/101 20/0][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 29 UDP 10.0.0.227:59582 <-> 75.75.75.75:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/92 bytes <-> 1 pkts/323 bytes][Goodput ratio: 54/87][0.02 sec][Hostname/SNI: 1-courier.sandbox.push.apple.com][17.188.138.71][DNS Id: 0x1090][PLAIN TEXT (courier)][Plen Bins: 0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 30 TCP 10.0.0.227:56871 <-> 8.37.103.196:443 [proto: 91/TLS][Stack: TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][Breed: Safe][1 pkts/66 bytes <-> 5 pkts/330 bytes][Goodput ratio: 0/0][20.32 sec][bytes ratio: -0.667 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/66 66/66 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/dns.pcap.out b/tests/cfgs/default/result/dns.pcap.out index 8c4eaede89d..0f5bf98205d 100644 --- a/tests/cfgs/default/result/dns.pcap.out +++ b/tests/cfgs/default/result/dns.pcap.out @@ -29,6 +29,6 @@ Acceptable 17 3553 4 Network 17 3553 4 1 TCP [2001:b07:a3d:c112:b831:a73f:7974:e604]:49774 <-> [2001:b07:a3d:c112::1]:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][Breed: Acceptable][6 pkts/490 bytes <-> 5 pkts/2156 bytes][Goodput ratio: 7/82][0.01 sec][Hostname/SNI: opentracker.io][45.9.60.30][DNS Id: 0x3d73][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/2 6/5 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 82/431 108/1294 13/481][TCP Fingerprint: 2_64_65535_108f896b6121/Unknown][PLAIN TEXT (opentracker)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0] - 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 5) - rsp_class: 1 ttl: 120s rdatalength: 15 rsp_type: PTR data: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa advertised android.local; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: adb-unidentified._adb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _adb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _adb._tcp.local advertised adb-unidentified._adb._tcp.local; rsp_class: 1 ttl: 120s rdatalength: 8 rsp_type: SRV data: adb-unidentified._adb._tcp.local is on port 5555][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][169.45.219.235][DNS Id: 0x7843][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.example.com][0.0.0.0][DNS Id: 0xbc1f][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/dns_invert_query.pcapng.out b/tests/cfgs/default/result/dns_invert_query.pcapng.out index 39c2c102916..365b02f5211 100644 --- a/tests/cfgs/default/result/dns_invert_query.pcapng.out +++ b/tests/cfgs/default/result/dns_invert_query.pcapng.out @@ -11,9 +11,9 @@ LRU cache fpc_dns: 0/0/0 (insert/search/found) Automa host: 2/0 (search/found) Automa domain: 1/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) +Automa risk mask: 1/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 1/0 (search/found) Patricia risk IPv6: 0/0 (search/found) @@ -26,4 +26,4 @@ Acceptable 2 134 1 Network 2 134 1 - 1 UDP 173.147.108.174:18427 <-> 244.187.95.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/78 bytes <-> 1 pkts/56 bytes][Goodput ratio: 46/21][0.00 sec][Hostname/SNI: 216.58.202.4][0.0.0.0][DNS Id: 0x77fc][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NOTIMP][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 173.147.108.174:18427 <-> 244.187.95.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/78 bytes <-> 1 pkts/56 bytes][Goodput ratio: 46/21][0.00 sec][Hostname/SNI: 216.58.202.4][0.0.0.0][DNS Id: 0x77fc][Risk: ** Error Code **** Minor Issues **][Risk Score: 20][Risk Info: DNS Record with zero TTL / DNS Error Code NOTIMP][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out index 1978666b49b..411c13784f2 100644 --- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out @@ -14,8 +14,8 @@ LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/66/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache fpc_dns: 0/66/0 (insert/search/found) -Automa host: 467/0 (search/found) -Automa domain: 230/0 (search/found) +Automa host: 471/0 (search/found) +Automa domain: 232/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 16/0 (search/found) Automa common alpns: 0/0 (search/found) @@ -243,7 +243,7 @@ System 109 10824 29 193 UDP 192.168.1.2:2822 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Hostname/SNI: 1.0.0.1?7.in-addr.arpa][0.0.0.0][DNS Id: 0x0c08][Risk: ** Non-Printable/Invalid Chars Detected **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No server to client traffic / Invalid chars detected in domain name][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 194 UDP 192.168.1.2:2828 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][0.0.0.0][DNS Id: 0x3c32][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 195 UDP 192.168.1.18:2751 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][0.0.0.0][DNS Id: 0x1aca][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 196 UDP 192.168.1.57:2771 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][0.0.0.0][DNS Id: 0xfde0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 196 UDP 192.168.1.57:2771 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Hostname/SNI: 1.0.0.][0.0.0.0][DNS Id: 0xfde0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 197 UDP 192.168.1.110:2765 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][0.0.0.0][DNS Id: 0x68fd][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 198 UDP 192.168.33.2:2782 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][0.0.0.0][DNS Id: 0x4fe4][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 199 UDP 200.168.1.2:2735 -> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Hostname/SNI: 1.0.0.127.in-adds.arpa][0.0.0.0][DNS Id: 0xf3db][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/iphone.pcap.out b/tests/cfgs/default/result/iphone.pcap.out index a3e40062d49..bebbe685626 100644 --- a/tests/cfgs/default/result/iphone.pcap.out +++ b/tests/cfgs/default/result/iphone.pcap.out @@ -71,9 +71,9 @@ JA Host Stats: 13 TCP 192.168.2.17:50577 <-> 17.130.2.46:443 [proto: 91.140/TLS.Apple][Stack: TLS.Apple][IP: 140/Apple][Encrypted][Confidence: DPI][FPC: 140/Apple, Confidence: DNS][DPI packets: 8][cat: Web/5][Breed: Safe][10 pkts/1721 bytes <-> 8 pkts/4801 bytes][Goodput ratio: 61/89][0.67 sec][Hostname/SNI: gsp85-ssl.ls.apple.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.472 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 81/52 171/161 80/73][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 172/600 583/1506 165/572][nDPI Fingerprint: 3b04572144a728c2faccf30986f300fa][TCP Fingerprint: 194_64_65535_d0a7eb742982/Unknown][TLSv1.2][JA4: t13d2614h2_2802a3db6c62_0e42e90cf648][ServerNames: *.ls.apple.com][JA3S: 4ef1b297bb817d8212165a86308bac5f][Issuer: CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US][Subject: CN=*.ls.apple.com, OU=management:idms.group.576486, O=Apple Inc., ST=California, C=US][Certificate SHA-1: E4:85:25:4C:99:F8:FB:66:49:4B:80:64:5E:63:2A:75:9B:8F:C3:51][Safari][Validity: 2019-03-15 23:17:29 - 2021-04-13 23:17:29][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,11,0,11,0,0,0,11,11,0,0,11,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0] 14 TCP 192.168.2.17:50585 <-> 17.137.166.35:443 [proto: 91.140/TLS.Apple][Stack: TLS.Apple][IP: 140/Apple][Encrypted][Confidence: DPI][FPC: 140/Apple, Confidence: DNS][DPI packets: 8][cat: Web/5][Breed: Safe][6 pkts/1051 bytes <-> 6 pkts/4246 bytes][Goodput ratio: 61/90][1.05 sec][Hostname/SNI: gsa.apple.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.603 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 132/52 322/206 138/89][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 175/708 583/1506 188/647][nDPI Fingerprint: 92587104b60337422ac6966cdaf76f9e][TCP Fingerprint: 194_64_65535_d0a7eb742982/Unknown][TLSv1.2][JA4: t13d2613h1_2802a3db6c62_845d286b0d67][ServerNames: gsas.apple.com,gsa.apple.com][JA3S: c4b2785a87896e19d37eee932070cb22][Issuer: CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US][Subject: CN=gsa.apple.com, O=Apple Inc., ST=California, C=US][Certificate SHA-1: D4:EF:5E:AD:7F:D5:13:5B:9F:B2:B9:84:19:75:BB:ED:53:FB:18:D6][Safari][Validity: 2019-03-07 00:55:40 - 2020-04-05 00:55:40][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] 15 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][7 pkts/2394 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][43.15 sec][Hostname/SNI: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1022/0 7191/0 8962/0 2834/0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342/0 342/0 0/0][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][PLAIN TEXT (iPhone)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 UDP 169.254.225.216:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2123 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] - 17 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2094 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0] - 18 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][3 pkts/2067 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 169.254.225.216:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 8) - rsp_class: 1 ttl: 4500s rdatalength: 52 rsp_type: TXT data: luca’s imac._odisk._tcp.local additional info sys=waMA=C4:2C:03:06:49:FE,adVF=0x4,adDT=0x3,adCC=0; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _odisk._tcp.local advertised luca’s imac._odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 26 rsp_type: TXT data: luca’s imac._device-info._tcp.local additional info model=iMac11,3, osxvers=17; rsp_class: 1 ttl: 4500s rdatalength: 51 rsp_type: TXT data: _kerberos.lucas-imac.local additional info LKDC:SHA1.492480C3EA8282771A0D288F111EF9E751F95A63; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: luca’s imac._smb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _smb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _smb._tcp.local advertised luca’s imac._smb._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2123 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] + 17 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 8) - rsp_class: 1 ttl: 4500s rdatalength: 52 rsp_type: TXT data: luca’s imac._odisk._tcp.local additional info sys=waMA=C4:2C:03:06:49:FE,adVF=0x4,adDT=0x3,adCC=0; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _odisk._tcp.local advertised luca’s imac._odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 26 rsp_type: TXT data: luca’s imac._device-info._tcp.local additional info model=iMac11,3, osxvers=17; rsp_class: 1 ttl: 4500s rdatalength: 51 rsp_type: TXT data: _kerberos.lucas-imac.local additional info LKDC:SHA1.492480C3EA8282771A0D288F111EF9E751F95A63; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: luca’s imac._smb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _smb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _smb._tcp.local advertised luca’s imac._smb._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2094 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0] + 18 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 8) - rsp_class: 1 ttl: 4500s rdatalength: 52 rsp_type: TXT data: luca’s imac._odisk._tcp.local additional info sys=waMA=C4:2C:03:06:49:FE,adVF=0x4,adDT=0x3,adCC=0; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _odisk._tcp.local advertised luca’s imac._odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 26 rsp_type: TXT data: luca’s imac._device-info._tcp.local additional info model=iMac11,3, osxvers=17; rsp_class: 1 ttl: 4500s rdatalength: 51 rsp_type: TXT data: _kerberos.lucas-imac.local additional info LKDC:SHA1.492480C3EA8282771A0D288F111EF9E751F95A63; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: luca’s imac._smb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _smb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _smb._tcp.local advertised luca’s imac._smb._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][3 pkts/2067 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 192.168.2.17:49152 <-> 17.253.105.202:80 [proto: 7.140/HTTP.Apple][Stack: HTTP.Apple][IP: 140/Apple][ClearText][Confidence: DPI][FPC: 140/Apple, Confidence: DNS][DPI packets: 6][cat: ConnCheck/30][Breed: Safe][5 pkts/473 bytes <-> 4 pkts/968 bytes][Goodput ratio: 28/72][0.33 sec][Hostname/SNI: captive.apple.com][bytes ratio: -0.344 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 82/80 171/158 82/78][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/242 197/762 51/300][URL: captive.apple.com/hotspot-detect.html][StatusCode: 200][Content-Type: text/html][Server: ATS/8.0.6][User-Agent: CaptiveNetworkSupport-390.60.1 wispr][TCP Fingerprint: 194_64_65535_d29295416479/macOS][PLAIN TEXT (GET /hotspot)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 20 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][Stack: Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 121/Dropbox, Confidence: DPI][DPI packets: 1][cat: Cloud/13][Breed: Acceptable][2 pkts/1104 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 UDP 192.168.2.1:67 -> 192.168.2.17:68 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (iMac.local)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/telegram.pcap.out b/tests/cfgs/default/result/telegram.pcap.out index bc3d52f48c7..9e0f89c68fb 100644 --- a/tests/cfgs/default/result/telegram.pcap.out +++ b/tests/cfgs/default/result/telegram.pcap.out @@ -48,27 +48,27 @@ Music 9 742 2 1 UDP 192.168.1.77:28150 <-> 91.108.8.1:533 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][12 pkts/1272 bytes <-> 276 pkts/68136 bytes][Goodput ratio: 60/83][16.92 sec][bytes ratio: -0.963 (Download)][IAT c2s/s2c min/avg/max/stddev: 48/0 290/61 504/476 186/43][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 106/247 138/330 24/41][Plen Bins: 0,2,4,3,0,19,37,21,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.77:28150 <-> 91.108.8.8:529 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][285 pkts/65890 bytes <-> 13 pkts/1522 bytes][Goodput ratio: 82/64][16.92 sec][bytes ratio: 0.955 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/27 59/210 504/472 30/201][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 231/117 314/138 44/16][Plen Bins: 0,2,4,3,8,28,14,37,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP [fe80::4ba:91a:7817:e318]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][120 pkts/27243 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][58.59 sec][Hostname/SNI: _dacp._tcp.local][_dacp._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 504/0 17386/0 1760/0][Pkt Len c2s/s2c min/avg/max/stddev: 162/0 227/0 489/0 65/0][PLAIN TEXT (iTunes)][Plen Bins: 0,0,0,50,8,20,0,5,15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP [fe80::4ba:91a:7817:e318]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 0s rdatalength: 31 rsp_type: PTR data: _dacp._tcp.local advertised itunes_ctrl_4abb39a41eefdeb3._dacp._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][120 pkts/27243 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][58.59 sec][Hostname/SNI: _dacp._tcp.local][_dacp._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 504/0 17386/0 1760/0][Pkt Len c2s/s2c min/avg/max/stddev: 162/0 227/0 489/0 65/0][PLAIN TEXT (iTunes)][Plen Bins: 0,0,0,50,8,20,0,5,15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.1.77:23174 <-> 91.108.8.7:521 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][57 pkts/12266 bytes <-> 66 pkts/14180 bytes][Goodput ratio: 80/80][4.58 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/4 78/65 500/308 73/53][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 215/215 282/298 59/49][Plen Bins: 0,4,6,8,0,27,38,14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 UDP 192.168.1.75:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][120 pkts/24843 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][58.59 sec][Hostname/SNI: _dacp._tcp.local][_dacp._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 504/0 17387/0 1760/0][Pkt Len c2s/s2c min/avg/max/stddev: 142/0 207/0 469/0 65/0][PLAIN TEXT (iTunes)][Plen Bins: 0,0,0,50,8,20,0,5,15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.1.75:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 0s rdatalength: 31 rsp_type: PTR data: _dacp._tcp.local advertised itunes_ctrl_4abb39a41eefdeb3._dacp._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][120 pkts/24843 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][58.59 sec][Hostname/SNI: _dacp._tcp.local][_dacp._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 504/0 17387/0 1760/0][Pkt Len c2s/s2c min/avg/max/stddev: 142/0 207/0 469/0 65/0][PLAIN TEXT (iTunes)][Plen Bins: 0,0,0,50,8,20,0,5,15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.0.1:68 -> 255.255.255.255:67 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][12 pkts/3852 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][54.99 sec][Hostname/SNI: tl-sg116e][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4886/0 4987/0 5017/0 36/0][Pkt Len c2s/s2c min/avg/max/stddev: 321/0 321/0 321/0 0/0][DHCP Fingerprint: 1,3][DHCP Class Ident: TL-SG116E][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP 192.168.1.77:5353 -> 192.168.1.75:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][9 pkts/2880 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][56.23 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3480/0 7028/0 31577/0 9279/0][Pkt Len c2s/s2c min/avg/max/stddev: 320/0 320/0 320/0 0/0][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.1.77:5353 -> 192.168.1.75:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 4500s rdatalength: 16 rsp_type: PTR data: _companion-link._tcp.local advertised luca’s imac._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][9 pkts/2880 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][56.23 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3480/0 7028/0 31577/0 9279/0][Pkt Len c2s/s2c min/avg/max/stddev: 320/0 320/0 320/0 0/0][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 8 UDP 192.168.1.77:50822 <-> 216.58.205.68:443 [proto: 188.126/QUIC.Google][Stack: QUIC.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 188.126/QUIC.Google, Confidence: DPI][DPI packets: 1][cat: Web/5][Breed: Acceptable][2 pkts/1462 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 94/97][0.03 sec][Hostname/SNI: www.google.com][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][QUIC ver: Q046][Idle Timeout: 30][PLAIN TEXT (www.google.com)][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0] 9 UDP 192.168.1.77:61974 <-> 216.58.205.68:443 [proto: 188.126/QUIC.Google][Stack: QUIC.Google][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 188.126/QUIC.Google, Confidence: DPI][DPI packets: 1][cat: Web/5][Breed: Acceptable][2 pkts/1462 bytes <-> 1 pkts/1392 bytes][Goodput ratio: 94/97][0.03 sec][Hostname/SNI: www.google.com][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][QUIC ver: Q046][Idle Timeout: 30][PLAIN TEXT (www.google.com)][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0] 10 UDP 192.168.1.77:28150 <-> 91.108.16.3:537 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][13 pkts/1410 bytes <-> 12 pkts/1384 bytes][Goodput ratio: 61/64][14.14 sec][bytes ratio: 0.009 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/27 368/1416 1577/10001 452/3058][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 108/115 138/138 25/15][Plen Bins: 0,24,48,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP 192.168.1.77:28150 <-> 91.108.12.3:530 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][12 pkts/1272 bytes <-> 12 pkts/1384 bytes][Goodput ratio: 60/64][14.12 sec][bytes ratio: -0.042 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 48/17 407/439 1556/1278 452/379][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 106/115 138/138 24/15][Plen Bins: 0,25,50,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 UDP 192.168.1.77:28150 <-> 91.108.12.5:537 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][12 pkts/1272 bytes <-> 12 pkts/1384 bytes][Goodput ratio: 60/64][14.10 sec][bytes ratio: -0.042 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 48/31 405/436 1542/1278 447/377][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 106/115 138/138 24/15][Plen Bins: 0,25,50,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 13 UDP 192.168.1.77:28150 <-> 91.108.16.1:529 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][12 pkts/1272 bytes <-> 12 pkts/1384 bytes][Goodput ratio: 60/64][14.14 sec][bytes ratio: -0.042 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 48/24 410/438 1583/1240 460/372][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 106/115 138/138 24/15][Plen Bins: 0,25,50,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 192.168.1.69:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][7 pkts/2471 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][58.39 sec][Hostname/SNI: _spotify-connect._tcp.local][_spotify-connect._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1460/0 9731/0 48909/0 17522/0][Pkt Len c2s/s2c min/avg/max/stddev: 353/0 353/0 353/0 0/0][PLAIN TEXT (spotify)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 14 UDP 192.168.1.69:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 120s rdatalength: 47 rsp_type: PTR data: _spotify-connect._tcp.local advertised sonos7828ca05facc._spotify-connect._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][7 pkts/2471 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][58.39 sec][Hostname/SNI: _spotify-connect._tcp.local][_spotify-connect._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1460/0 9731/0 48909/0 17522/0][Pkt Len c2s/s2c min/avg/max/stddev: 353/0 353/0 353/0 0/0][PLAIN TEXT (spotify)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 15 UDP 192.168.1.77:23174 <-> 91.108.12.1:536 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][10 pkts/1044 bytes <-> 11 pkts/1294 bytes][Goodput ratio: 60/64][2.91 sec][bytes ratio: -0.107 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 133/22 310/271 949/491 255/132][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 104/118 138/138 26/17][Plen Bins: 0,28,38,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 16 UDP 192.168.1.77:23174 <-> 91.108.12.5:523 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][9 pkts/906 bytes <-> 12 pkts/1432 bytes][Goodput ratio: 58/65][2.89 sec][bytes ratio: -0.225 (Download)][IAT c2s/s2c min/avg/max/stddev: 133/38 355/239 930/492 265/124][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 101/119 138/138 24/17][Plen Bins: 0,28,38,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 UDP 192.168.1.77:23174 <-> 91.108.8.8:538 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][9 pkts/906 bytes <-> 11 pkts/1294 bytes][Goodput ratio: 58/64][2.71 sec][bytes ratio: -0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 135/42 358/279 839/492 229/118][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 101/118 138/138 24/17][Plen Bins: 0,30,40,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 UDP 192.168.1.77:23174 <-> 91.108.16.1:527 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][9 pkts/906 bytes <-> 11 pkts/1294 bytes][Goodput ratio: 58/64][3.00 sec][bytes ratio: -0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 135/38 358/295 984/509 285/138][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 101/118 138/138 24/17][Plen Bins: 0,30,40,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 UDP 192.168.1.77:23174 <-> 91.108.16.4:538 [proto: 185/Telegram][Stack: Telegram][IP: 185/Telegram][Encrypted][Confidence: DPI][FPC: 185/Telegram, Confidence: DPI][DPI packets: 7][cat: Chat/9][Breed: Acceptable][9 pkts/906 bytes <-> 11 pkts/1294 bytes][Goodput ratio: 58/64][2.97 sec][bytes ratio: -0.176 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 135/36 358/294 969/496 279/136][Pkt Len c2s/s2c min/avg/max/stddev: 74/90 101/118 138/138 24/17][Plen Bins: 0,30,40,30,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 20 UDP 192.168.1.53:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][18 pkts/2072 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][58.39 sec][Hostname/SNI: _googlecast._tcp.local][_googlecast._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 434/0 3583/0 15377/0 4331/0][Pkt Len c2s/s2c min/avg/max/stddev: 87/0 115/0 238/0 39/0][PLAIN TEXT (spotify)][Plen Bins: 0,73,0,16,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 UDP 192.168.1.53:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 5) - rsp_class: 1 ttl: 4500s rdatalength: 16 rsp_type: PTR data: _companion-link._tcp.local advertised luca’s imac._companion-link._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 14 rsp_type: PTR data: _companion-link._tcp.local advertised luca's ipad._companion-link._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local; rsp_class: 1 ttl: 4497s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local; rsp_class: 1 ttl: 4488s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 6][cat: Network/14][Breed: Acceptable][18 pkts/2072 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][58.39 sec][Hostname/SNI: _googlecast._tcp.local][_googlecast._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 434/0 3583/0 15377/0 4331/0][Pkt Len c2s/s2c min/avg/max/stddev: 87/0 115/0 238/0 39/0][PLAIN TEXT (spotify)][Plen Bins: 0,73,0,16,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 UDP 192.168.1.77:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][Stack: Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 121/Dropbox, Confidence: DPI][DPI packets: 1][cat: Cloud/13][Breed: Acceptable][2 pkts/1012 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][31.08 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 UDP 192.168.1.77:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][Stack: Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 121/Dropbox, Confidence: DPI][DPI packets: 1][cat: Cloud/13][Breed: Acceptable][2 pkts/1012 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][31.08 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 23 UDP [fe80::18a0:a412:8935:c01b]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][5 pkts/945 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][40.09 sec][Hostname/SNI: _sleep-proxy._udp.local][_sleep-proxy._udp.local][PLAIN TEXT (homekit)][Plen Bins: 0,0,0,60,20,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 23 UDP [fe80::18a0:a412:8935:c01b]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 6) - rsp_class: 1 ttl: 4500s rdatalength: 16 rsp_type: PTR data: _companion-link._tcp.local advertised luca’s imac._companion-link._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 14 rsp_type: PTR data: _companion-link._tcp.local advertised luca's ipad._companion-link._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local; rsp_class: 1 ttl: 4497s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local; rsp_class: 1 ttl: 4488s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local; rsp_class: 1 ttl: 4461s rdatalength: 18 rsp_type: PTR data: _sleep-proxy._udp.local advertised 50-35-10-70.1 1._sleep-proxy._udp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][5 pkts/945 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][40.09 sec][Hostname/SNI: _sleep-proxy._udp.local][_sleep-proxy._udp.local][PLAIN TEXT (homekit)][Plen Bins: 0,0,0,60,20,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 24 UDP 192.168.1.77:52127 -> 239.255.255.250:1900 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][4 pkts/864 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][3.00 sec][Hostname/SNI: 239.255.255.250][User-Agent: Google Chrome/83.0.4103.34 Mac OS X][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 25 UDP 192.168.1.53:56384 -> 239.255.255.250:1900 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][4 pkts/672 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][6.01 sec][Hostname/SNI: 239.255.255.250][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 26 UDP 192.168.1.53:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][Stack: Spotify][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 156/Spotify, Confidence: DPI][DPI packets: 1][cat: Music/25][Breed: Fun][8 pkts/656 bytes -> 0 pkts/0 bytes][Goodput ratio: 49/0][40.88 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1749/0 5840/0 21180/0 6407/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 82/0 82/0 0/0][PLAIN TEXT (fSpotUdp0)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -76,7 +76,7 @@ Music 9 742 2 28 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/397 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][PLAIN TEXT (6.10.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 29 UDP 192.168.1.53:50698 -> 239.255.255.250:1900 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][2 pkts/336 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][2.00 sec][Hostname/SNI: 239.255.255.250][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 30 UDP 192.168.1.53:54306 -> 239.255.255.250:1900 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][2 pkts/336 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][2.00 sec][Hostname/SNI: 239.255.255.250][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 31 UDP 192.168.1.77:5353 -> 192.168.1.53:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/320 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 31 UDP 192.168.1.77:5353 -> 192.168.1.53:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 4500s rdatalength: 16 rsp_type: PTR data: _companion-link._tcp.local advertised luca’s imac._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/320 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 32 UDP 192.168.1.77:54595 <-> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][2 pkts/166 bytes <-> 1 pkts/136 bytes][Goodput ratio: 49/69][8.49 sec][Hostname/SNI: b._dns-sd._udp.ntop.org][0.0.0.0][DNS Id: 0x6a44][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NXDOMAIN][PLAIN TEXT (postmaster)][Plen Bins: 0,66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 33 UDP 192.168.1.77:52118 <-> 192.168.1.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/75 bytes <-> 1 pkts/209 bytes][Goodput ratio: 43/80][0.01 sec][Hostname/SNI: in.appcenter.ms][20.44.78.251][DNS Id: 0xd285][PLAIN TEXT (appcenter)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 34 UDP 192.168.1.77:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][Stack: NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][3 pkts/276 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: workgroup][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out index fe491fa27dc..1e155d97c52 100644 --- a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out +++ b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out @@ -63,16 +63,16 @@ JA Host Stats: 12 TCP 192.168.1.121:53912 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][Stack: HTTP.Microsoft][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Download/7][Breed: Acceptable][6 pkts/619 bytes <-> 5 pkts/2282 bytes][Goodput ratio: 34/85][0.05 sec][Hostname/SNI: www.microsoft.com][bytes ratio: -0.573 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 21/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/456 277/1502 78/558][URL: www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** HTTP Susp Header **** Binary File/Data Transfer (Attempt) **][Risk Score: 150][Risk Info: Found binary mime octet-stream / Found TLS_version: UNKNOWN][TCP Fingerprint: 2_64_65535_d29295416479/macOS][PLAIN TEXT (GET /pki/certs/MicRooCerAut)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0] 13 UDP 192.168.1.121:52251 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][8 pkts/767 bytes <-> 8 pkts/1085 bytes][Goodput ratio: 56/69][1.01 sec][Hostname/SNI: 60.21.149.52.in-addr.arpa][0.0.0.0][DNS Id: 0xaa4b][bytes ratio: -0.172 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 165/2 988/5 368/2][Pkt Len c2s/s2c min/avg/max/stddev: 80/86 96/136 132/196 21/42][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NXDOMAIN][PLAIN TEXT (msnhst)][Plen Bins: 0,57,18,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 UDP 192.168.1.121:51998 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][3 pkts/255 bytes <-> 3 pkts/449 bytes][Goodput ratio: 50/72][1.02 sec][Hostname/SNI: 235.33.22.2.in-addr.arpa][0.0.0.0][DNS Id: 0xa2d1][DNS Ptr: a2-22-33-235.deploy.static.akamaitechnologies.com][bytes ratio: -0.276 (Download)][IAT c2s/s2c min/avg/max/stddev: 999/996 500/498 999/996 500/498][Pkt Len c2s/s2c min/avg/max/stddev: 84/131 85/150 86/171 1/16][PLAIN TEXT (deploy)][Plen Bins: 0,51,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 UDP 192.168.1.121:5353 -> 192.168.1.139:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/383 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 UDP 192.168.1.121:5353 -> 192.168.1.139:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 4500s rdatalength: 8 rsp_type: PTR data: _companion-link._tcp.local advertised mbpro._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/383 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 16 UDP 192.168.1.121:51364 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/77 bytes <-> 1 pkts/289 bytes][Goodput ratio: 45/85][0.01 sec][Hostname/SNI: www.microsoft.com][0.0.0.0][DNS Id: 0xc9c5][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 TCP 130.211.33.145:443 <-> 192.168.1.121:53432 [proto: 91/TLS][Stack: TLS][IP: 284/GoogleCloud][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 3][cat: Web/5][Breed: Safe][2 pkts/163 bytes <-> 2 pkts/167 bytes][Goodput ratio: 19/21][0.01 sec][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 UDP 192.168.1.121:55567 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/78 bytes <-> 1 pkts/250 bytes][Goodput ratio: 46/83][0.07 sec][Hostname/SNI: wdcp.microsoft.com][0.0.0.0][DNS Id: 0x5de5][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 UDP 192.168.1.121:58161 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/77 bytes <-> 1 pkts/244 bytes][Goodput ratio: 45/82][0.03 sec][Hostname/SNI: www.microsoft.com][2.22.33.235][DNS Id: 0x0b2f][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 20 UDP [fe80::1059:a858:f9e7:cf94]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/320 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][1.02 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 20 UDP [fe80::1059:a858:f9e7:cf94]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 4500s rdatalength: 8 rsp_type: PTR data: _companion-link._tcp.local advertised mbpro._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/320 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][1.02 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 UDP 192.168.1.121:65492 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/115 bytes <-> 1 pkts/191 bytes][Goodput ratio: 63/78][0.07 sec][Hostname/SNI: wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com][0.0.0.0][DNS Id: 0x564d][PLAIN TEXT (northeurope)][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 TCP 192.168.1.121:53905 <-> 140.82.113.26:443 [proto: 91/TLS][Stack: TLS][IP: 203/Github][Encrypted][Confidence: DPI][FPC: 203/Github, Confidence: IP address][DPI packets: 2][cat: Web/5][Breed: Safe][2 pkts/120 bytes <-> 2 pkts/163 bytes][Goodput ratio: 0/19][0.11 sec][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 23 UDP 192.168.1.121:53884 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/78 bytes <-> 1 pkts/203 bytes][Goodput ratio: 46/79][0.02 sec][Hostname/SNI: wdcp.microsoft.com][40.113.10.47][DNS Id: 0xc30d][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 24 UDP 192.168.1.139:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][1.02 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 UDP 192.168.1.139:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 4500s rdatalength: 8 rsp_type: PTR data: _companion-link._tcp.local advertised mbpro._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][2 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][1.02 sec][Hostname/SNI: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 25 UDP 192.168.1.121:65213 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/80 bytes <-> 1 pkts/193 bytes][Goodput ratio: 47/78][0.01 sec][Hostname/SNI: time-macos.apple.com][17.253.54.251][DNS Id: 0x4e70][PLAIN TEXT (aaplimg)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 26 UDP 192.168.1.121:55578 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/86 bytes <-> 1 pkts/150 bytes][Goodput ratio: 51/72][0.01 sec][Hostname/SNI: e13678.dscb.akamaiedge.net][0.0.0.0][DNS Id: 0x5d93][PLAIN TEXT (akamaiedge)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 27 UDP 192.168.1.121:54561 <-> 8.8.8.8:53 [proto: 5/DNS][Stack: DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/86 bytes <-> 1 pkts/102 bytes][Goodput ratio: 51/58][0.03 sec][Hostname/SNI: e13678.dscb.akamaiedge.net][2.22.33.235][DNS Id: 0x406f][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/wa_voice.pcap.out b/tests/cfgs/default/result/wa_voice.pcap.out index f2dc67a84e1..7d7b1f94f7e 100644 --- a/tests/cfgs/default/result/wa_voice.pcap.out +++ b/tests/cfgs/default/result/wa_voice.pcap.out @@ -72,8 +72,8 @@ JA Host Stats: 12 UDP 192.168.2.12:56328 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][Stack: STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 78.45/STUN.WhatsAppCall, Confidence: DPI][DPI packets: 7][cat: VoIP/10][Breed: Acceptable][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6149 22207/12298 9311/6149][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Mapped IP/Port: 80.180.162.48:52372][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 13 UDP 192.168.2.12:56328 <-> 185.60.216.51:3478 [proto: 78.45/STUN.WhatsAppCall][Stack: STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][FPC: 78.45/STUN.WhatsAppCall, Confidence: DPI][DPI packets: 7][cat: VoIP/10][Breed: Acceptable][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 8626/6151 22207/12301 9311/6150][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Mapped IP/Port: 80.180.162.48:52372][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 14 UDP 192.168.2.12:64716 -> 239.255.255.250:1900 [proto: 12/SSDP][Stack: SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 12/SSDP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][4 pkts/671 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][9.04 sec][Hostname/SNI: 239.255.255.250][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 UDP [fe80::414:409d:8afd:9f05]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][5 pkts/644 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 UDP 192.168.2.12:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][5 pkts/544 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 15 UDP [fe80::414:409d:8afd:9f05]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 3477s rdatalength: 16 rsp_type: PTR data: _companion-link._tcp.local advertised luca’s imac._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][5 pkts/644 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 192.168.2.12:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 1) - rsp_class: 1 ttl: 3477s rdatalength: 16 rsp_type: PTR data: _companion-link._tcp.local advertised luca’s imac._companion-link._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 5][cat: Network/14][Breed: Acceptable][5 pkts/544 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 17 TCP 17.171.47.85:443 <-> 192.168.2.12:50502 [proto: 91/TLS][Stack: TLS][IP: 140/Apple][Encrypted][Confidence: DPI][FPC: 91/TLS, Confidence: DPI][DPI packets: 1][cat: Web/5][Breed: Safe][4 pkts/271 bytes <-> 4 pkts/271 bytes][Goodput ratio: 11/11][0.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 94/0 278/0 130/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/68 97/97 18/18][nDPI Fingerprint: d9b1e7338e475c535e75d9f1f452155e][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 18 ICMP 192.168.2.12:0 -> 91.252.56.51:0 [proto: 81/ICMP][Stack: ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.92 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 19 UDP 192.168.2.12:55296 <-> 192.168.2.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.03 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][31.13.86.51][DNS Id: 0x3369][PLAIN TEXT (whatsapp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/disable_use_client_port/result/iphone.pcap.out b/tests/cfgs/disable_use_client_port/result/iphone.pcap.out index cd27f59781b..7d6b8a2db14 100644 --- a/tests/cfgs/disable_use_client_port/result/iphone.pcap.out +++ b/tests/cfgs/disable_use_client_port/result/iphone.pcap.out @@ -71,9 +71,9 @@ JA Host Stats: 13 TCP 192.168.2.17:50577 <-> 17.130.2.46:443 [proto: 91.140/TLS.Apple][Stack: TLS.Apple][IP: 140/Apple][Encrypted][Confidence: DPI][FPC: 140/Apple, Confidence: DNS][DPI packets: 8][cat: Web/5][Breed: Safe][10 pkts/1721 bytes <-> 8 pkts/4801 bytes][Goodput ratio: 61/89][0.67 sec][Hostname/SNI: gsp85-ssl.ls.apple.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.472 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 81/52 171/161 80/73][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 172/600 583/1506 165/572][nDPI Fingerprint: 3b04572144a728c2faccf30986f300fa][TCP Fingerprint: 194_64_65535_d0a7eb742982/Unknown][TLSv1.2][JA4: t13d2614h2_2802a3db6c62_0e42e90cf648][ServerNames: *.ls.apple.com][JA3S: 4ef1b297bb817d8212165a86308bac5f][Issuer: CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US][Subject: CN=*.ls.apple.com, OU=management:idms.group.576486, O=Apple Inc., ST=California, C=US][Certificate SHA-1: E4:85:25:4C:99:F8:FB:66:49:4B:80:64:5E:63:2A:75:9B:8F:C3:51][Safari][Validity: 2019-03-15 23:17:29 - 2021-04-13 23:17:29][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,11,0,11,0,0,0,11,11,0,0,11,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0] 14 TCP 192.168.2.17:50585 <-> 17.137.166.35:443 [proto: 91.140/TLS.Apple][Stack: TLS.Apple][IP: 140/Apple][Encrypted][Confidence: DPI][FPC: 140/Apple, Confidence: DNS][DPI packets: 8][cat: Web/5][Breed: Safe][6 pkts/1051 bytes <-> 6 pkts/4246 bytes][Goodput ratio: 61/90][1.05 sec][Hostname/SNI: gsa.apple.com][(Advertised) ALPNs: http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.603 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 132/52 322/206 138/89][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 175/708 583/1506 188/647][nDPI Fingerprint: 92587104b60337422ac6966cdaf76f9e][TCP Fingerprint: 194_64_65535_d0a7eb742982/Unknown][TLSv1.2][JA4: t13d2613h1_2802a3db6c62_845d286b0d67][ServerNames: gsas.apple.com,gsa.apple.com][JA3S: c4b2785a87896e19d37eee932070cb22][Issuer: CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US][Subject: CN=gsa.apple.com, O=Apple Inc., ST=California, C=US][Certificate SHA-1: D4:EF:5E:AD:7F:D5:13:5B:9F:B2:B9:84:19:75:BB:ED:53:FB:18:D6][Safari][Validity: 2019-03-07 00:55:40 - 2020-04-05 00:55:40][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0] 15 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][7 pkts/2394 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][43.15 sec][Hostname/SNI: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1022/0 7191/0 8962/0 2834/0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342/0 342/0 0/0][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][PLAIN TEXT (iPhone)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 UDP 169.254.225.216:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2123 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] - 17 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2094 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0] - 18 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][3 pkts/2067 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] + 16 UDP 169.254.225.216:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 8) - rsp_class: 1 ttl: 4500s rdatalength: 52 rsp_type: TXT data: luca’s imac._odisk._tcp.local additional info sys=waMA=C4:2C:03:06:49:FE,adVF=0x4,adDT=0x3,adCC=0; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _odisk._tcp.local advertised luca’s imac._odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 26 rsp_type: TXT data: luca’s imac._device-info._tcp.local additional info model=iMac11,3, osxvers=17; rsp_class: 1 ttl: 4500s rdatalength: 51 rsp_type: TXT data: _kerberos.lucas-imac.local additional info LKDC:SHA1.492480C3EA8282771A0D288F111EF9E751F95A63; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: luca’s imac._smb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _smb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _smb._tcp.local advertised luca’s imac._smb._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2123 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] + 17 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 8) - rsp_class: 1 ttl: 4500s rdatalength: 52 rsp_type: TXT data: luca’s imac._odisk._tcp.local additional info sys=waMA=C4:2C:03:06:49:FE,adVF=0x4,adDT=0x3,adCC=0; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _odisk._tcp.local advertised luca’s imac._odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 26 rsp_type: TXT data: luca’s imac._device-info._tcp.local additional info model=iMac11,3, osxvers=17; rsp_class: 1 ttl: 4500s rdatalength: 51 rsp_type: TXT data: _kerberos.lucas-imac.local additional info LKDC:SHA1.492480C3EA8282771A0D288F111EF9E751F95A63; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: luca’s imac._smb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _smb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _smb._tcp.local advertised luca’s imac._smb._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][4 pkts/2094 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,25,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0] + 18 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 8) - rsp_class: 1 ttl: 4500s rdatalength: 52 rsp_type: TXT data: luca’s imac._odisk._tcp.local additional info sys=waMA=C4:2C:03:06:49:FE,adVF=0x4,adDT=0x3,adCC=0; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _odisk._tcp.local advertised luca’s imac._odisk._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 26 rsp_type: TXT data: luca’s imac._device-info._tcp.local additional info model=iMac11,3, osxvers=17; rsp_class: 1 ttl: 4500s rdatalength: 51 rsp_type: TXT data: _kerberos.lucas-imac.local additional info LKDC:SHA1.492480C3EA8282771A0D288F111EF9E751F95A63; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: luca’s imac._smb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _smb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _smb._tcp.local advertised luca’s imac._smb._tcp.local][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][3 pkts/2067 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][33.08 sec][Hostname/SNI: luca’s imac._odisk._tcp.local][luca’s imac._odisk._tcp.local][PLAIN TEXT (s iMac)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0] 19 TCP 192.168.2.17:49152 <-> 17.253.105.202:80 [proto: 7.140/HTTP.Apple][Stack: HTTP.Apple][IP: 140/Apple][ClearText][Confidence: DPI][FPC: 140/Apple, Confidence: DNS][DPI packets: 6][cat: ConnCheck/30][Breed: Safe][5 pkts/473 bytes <-> 4 pkts/968 bytes][Goodput ratio: 28/72][0.33 sec][Hostname/SNI: captive.apple.com][bytes ratio: -0.344 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 82/80 171/158 82/78][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 95/242 197/762 51/300][URL: captive.apple.com/hotspot-detect.html][StatusCode: 200][Content-Type: text/html][Server: ATS/8.0.6][User-Agent: CaptiveNetworkSupport-390.60.1 wispr][TCP Fingerprint: 194_64_65535_d29295416479/macOS][PLAIN TEXT (GET /hotspot)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 20 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][Stack: Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 121/Dropbox, Confidence: DPI][DPI packets: 1][cat: Cloud/13][Breed: Acceptable][2 pkts/1104 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 21 UDP 192.168.2.1:67 -> 192.168.2.17:68 [proto: 18/DHCP][Stack: DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/684 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (iMac.local)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/dns_sub_enable/result/dns.pcap.out b/tests/cfgs/dns_sub_enable/result/dns.pcap.out index fd0dda000ee..597d0c0c14c 100644 --- a/tests/cfgs/dns_sub_enable/result/dns.pcap.out +++ b/tests/cfgs/dns_sub_enable/result/dns.pcap.out @@ -31,6 +31,6 @@ Acceptable 17 3553 4 Network 17 3553 4 1 TCP [2001:b07:a3d:c112:b831:a73f:7974:e604]:49774 <-> [2001:b07:a3d:c112::1]:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][Breed: Acceptable][6 pkts/490 bytes <-> 5 pkts/2156 bytes][Goodput ratio: 7/82][0.01 sec][Hostname/SNI: opentracker.io][45.9.60.30][DNS Id: 0x3d73][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/2 6/5 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 82/431 108/1294 13/481][TCP Fingerprint: 2_64_65535_108f896b6121/Unknown][PLAIN TEXT (opentracker)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0] - 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 5) - rsp_class: 1 ttl: 120s rdatalength: 15 rsp_type: PTR data: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa advertised android.local; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: adb-unidentified._adb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _adb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _adb._tcp.local advertised adb-unidentified._adb._tcp.local; rsp_class: 1 ttl: 120s rdatalength: 8 rsp_type: SRV data: adb-unidentified._adb._tcp.local is on port 5555][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5.142/DNS.WhatsApp][Stack: DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.142/DNS.WhatsApp, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][169.45.219.235][DNS Id: 0x7843][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5.126/DNS.Google][Stack: DNS.Google][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.126/DNS.Google, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.example.com][0.0.0.0][DNS Id: 0xbc1f][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out index c964e9130ae..a3a4d49c074 100644 --- a/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out +++ b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out @@ -29,6 +29,6 @@ Acceptable 17 3553 4 Network 17 3553 4 1 TCP [2001:b07:a3d:c112:b831:a73f:7974:e604]:49774 <-> [2001:b07:a3d:c112::1]:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Network/14][Breed: Acceptable][6 pkts/490 bytes <-> 5 pkts/2156 bytes][Goodput ratio: 7/82][0.01 sec][Hostname/SNI: opentracker.io][0.0.0.0][DNS Id: 0x3d73][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/2 6/5 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 82/431 108/1294 13/481][TCP Fingerprint: 2_64_65535_108f896b6121/Unknown][PLAIN TEXT (opentracker)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0] - 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 5) - rsp_class: 1 ttl: 120s rdatalength: 15 rsp_type: PTR data: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa advertised android.local; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: adb-unidentified._adb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _adb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _adb._tcp.local advertised adb-unidentified._adb._tcp.local; rsp_class: 1 ttl: 120s rdatalength: 8 rsp_type: SRV data: adb-unidentified._adb._tcp.local is on port 5555][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][0.0.0.0][DNS Id: 0x7843][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.l.google.com][0.0.0.0][DNS Id: 0xdca2][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/subclassification_disable/result/dns.pcap.out b/tests/cfgs/subclassification_disable/result/dns.pcap.out index 8c4eaede89d..0f5bf98205d 100644 --- a/tests/cfgs/subclassification_disable/result/dns.pcap.out +++ b/tests/cfgs/subclassification_disable/result/dns.pcap.out @@ -29,6 +29,6 @@ Acceptable 17 3553 4 Network 17 3553 4 1 TCP [2001:b07:a3d:c112:b831:a73f:7974:e604]:49774 <-> [2001:b07:a3d:c112::1]:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Network/14][Breed: Acceptable][6 pkts/490 bytes <-> 5 pkts/2156 bytes][Goodput ratio: 7/82][0.01 sec][Hostname/SNI: opentracker.io][45.9.60.30][DNS Id: 0x3d73][bytes ratio: -0.630 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/2 6/5 3/2][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 82/431 108/1294 13/481][TCP Fingerprint: 2_64_65535_108f896b6121/Unknown][PLAIN TEXT (opentracker)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0] - 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP [fe80::a00:27ff:feb3:e62e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][Stack: MDNS][IP: 0/Unknown][MDNS advertised services (found 5) - rsp_class: 1 ttl: 120s rdatalength: 15 rsp_type: PTR data: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa advertised android.local; rsp_class: 1 ttl: 4500s rdatalength: 1 rsp_type: TXT data: adb-unidentified._adb._tcp.local additional info ; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _services._dns-sd._udp.local advertised _adb._tcp.local; rsp_class: 1 ttl: 4500s rdatalength: 2 rsp_type: PTR data: _adb._tcp.local advertised adb-unidentified._adb._tcp.local; rsp_class: 1 ttl: 120s rdatalength: 8 rsp_type: SRV data: adb-unidentified._adb._tcp.local is on port 5555][ClearText][Confidence: DPI][FPC: 8/MDNS, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][1 pkts/371 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][< 1 sec][Hostname/SNI: e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][e.2.6.e.3.b.e.f.f.f.7.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa][PLAIN TEXT (Android)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 82.178.113.245:47255 <-> 82.178.158.181:53 [VLAN: 785][proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/91 bytes <-> 1 pkts/219 bytes][Goodput ratio: 36/73][0.00 sec][Hostname/SNI: e7.whatsapp.net][169.45.219.235][DNS Id: 0x7843][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 UDP 192.168.170.20:53 <-> 192.168.170.8:32795 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][Breed: Acceptable][2 pkts/151 bytes <-> 1 pkts/75 bytes][Goodput ratio: 44/43][41.07 sec][Hostname/SNI: www.example.com][0.0.0.0][DNS Id: 0xbc1f][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]