From b3f2b1bb7f90c18a7542ab06acdf26318cdfa6fe Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Mon, 11 Dec 2023 14:53:12 +0100 Subject: [PATCH] STUN: rework extra dissection (#2202) Keep looking for RTP packets but remove the monitoring concept. We will re-introduce a more general concept of "flow in monitoring state" later. The function was disabled by default. Some configuration knobs will be provided when/if #2190 is merged. --- example/ndpiReader.c | 22 ----- fuzz/fuzz_config.cpp | 15 +--- fuzz/fuzz_ndpi_reader.c | 3 - src/include/ndpi_api.h | 6 -- src/include/ndpi_typedefs.h | 6 -- src/lib/ndpi_main.c | 39 --------- src/lib/ndpi_private.h | 3 - src/lib/protocols/stun.c | 20 ++--- tests/cfgs/disable_stun_monitoring/config.txt | 1 - .../pcap/lru_ipv6_caches.pcapng | 1 - .../result/lru_ipv6_caches.pcapng.out | 48 ----------- .../config.txt | 1 - .../pcap/stun_dtls_rtp.pcapng | 1 - .../pcap/stun_dtls_rtp_unidir.pcapng | 1 - .../pcap/wa_voice.pcap | 1 - .../result/stun_dtls_rtp.pcapng.out | 33 -------- .../result/stun_dtls_rtp_unidir.pcapng.out | 34 -------- .../result/wa_voice.pcap.out | 80 ------------------- 18 files changed, 9 insertions(+), 306 deletions(-) delete mode 100644 tests/cfgs/disable_stun_monitoring/config.txt delete mode 120000 tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng delete mode 100644 tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out delete mode 100644 tests/cfgs/enable_stun_monitoring_with_subproto/config.txt delete mode 120000 tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng delete mode 120000 tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng delete mode 120000 tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap delete mode 100644 tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out delete mode 100644 tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out delete mode 100644 tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out diff --git a/example/ndpiReader.c b/example/ndpiReader.c index ecc5ba13aa8..15679cdefb5 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -94,8 +94,6 @@ static u_int8_t ignore_vlanid = 0; /** User preferences **/ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0; u_int8_t verbose = 0, enable_flow_stats = 0; -int stun_monitoring_pkts_to_process = -1; /* Default */ -int stun_monitoring_flags = -1; /* Default */ int nDPI_LogLevel = 0; char *_debug_protocols = NULL; char *_disabled_protocols = NULL; @@ -591,8 +589,6 @@ static void help(u_int long_help) { " -Z proto:value | Set this value of aggressiveness for this protocol (0 to disable it). This flag can be used multiple times\n" " --lru-cache-size=NAME:size | Specify the size for this LRU cache (0 to disable it). This flag can be used multiple times\n" " --lru-cache-ttl=NAME:size | Specify the TTL [in seconds] for this LRU cache (0 to disable it). This flag can be used multiple times\n" - " --stun-monitoring=: | Configure STUN monitoring: keep monitoring STUN session for more pkts looking for RTP\n" - " | (0:0 to disable the feature); set the specified features in \n" , human_readeable_string_len, min_pattern_len, max_pattern_len, max_num_packets_per_flow, max_packet_payload_dissection, @@ -646,8 +642,6 @@ static void help(u_int long_help) { #define OPTLONG_VALUE_LRU_CACHE_SIZE 1000 #define OPTLONG_VALUE_LRU_CACHE_TTL 1001 -#define OPTLONG_VALUE_STUN_MONITORING 2000 - static struct option longopts[] = { /* mandatory extcap options */ { "extcap-interfaces", no_argument, NULL, '0'}, @@ -691,7 +685,6 @@ static struct option longopts[] = { { "lru-cache-size", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_SIZE}, { "lru-cache-ttl", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_TTL}, - { "stun-monitoring", required_argument, NULL, OPTLONG_VALUE_STUN_MONITORING}, {0, 0, 0, 0} }; @@ -966,7 +959,6 @@ static void parseOptions(int argc, char **argv) { #endif #endif int cache_idx, cache_size, cache_ttl; - u_int32_t num_pkts, flags; #ifdef USE_DPDK { @@ -1302,15 +1294,6 @@ static void parseOptions(int argc, char **argv) { lru_cache_ttls[cache_idx] = cache_ttl; break; - case OPTLONG_VALUE_STUN_MONITORING: - if(parse_two_unsigned_integer(optarg, &num_pkts, &flags) == -1) { - printf("Invalid parameter [%s]\n", optarg); - exit(1); - } - stun_monitoring_pkts_to_process = num_pkts; - stun_monitoring_flags = flags; - break; - default: #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### Unknown option -%c: skipping it #### \n", opt); @@ -2752,11 +2735,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { ndpi_set_protocol_aggressiveness(ndpi_thread_info[thread_id].workflow->ndpi_struct, i, aggressiveness[i]); } - if(stun_monitoring_pkts_to_process != -1 && - stun_monitoring_flags != -1) - ndpi_set_monitoring_state(ndpi_thread_info[thread_id].workflow->ndpi_struct, NDPI_PROTOCOL_STUN, - stun_monitoring_pkts_to_process, stun_monitoring_flags); - ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct); if(enable_doh_dot_detection) diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 0abf63515c4..afd9367fbef 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -13,7 +13,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { struct ndpi_detection_module_struct *ndpi_info_mod; struct ndpi_flow_struct flow; u_int8_t protocol_was_guessed; - u_int32_t i, num, num2; + u_int32_t i, num; u_int16_t random_proto, bool_value; int random_value; NDPI_PROTOCOL_BITMASK enabled_bitmask; @@ -36,7 +36,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 6 + /* files */ ((NDPI_LRUCACHE_MAX + 1) * 5) + /* LRU caches */ 2 + 1 + 4 + /* ndpi_set_detection_preferences() */ - 1 + 3 + 1 + 3 + /* Monitoring */ 7 + /* Opportunistic tls */ 2 + /* Pid */ 2 + /* Category */ @@ -108,18 +107,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_detection_preferences(ndpi_info_mod, static_cast(0xFF), 0xFF); /* Invalid preference */ - if(fuzzed_data.ConsumeBool()) { - ndpi_set_monitoring_state(ndpi_info_mod, NDPI_PROTOCOL_STUN, - fuzzed_data.ConsumeIntegralInRange(0, (1 << 16)), - fuzzed_data.ConsumeIntegralInRange(0, 7)); - ndpi_get_monitoring_state(ndpi_info_mod, NDPI_PROTOCOL_STUN, &num, &num2); - } - - random_proto = fuzzed_data.ConsumeIntegralInRange(0, (1 << 16) - 1); - random_value = fuzzed_data.ConsumeIntegralInRange(0,2); - ndpi_set_monitoring_state(ndpi_info_mod, random_proto, random_value, random_value); - ndpi_get_monitoring_state(ndpi_info_mod, random_proto, &num, &num2); - ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP, fuzzed_data.ConsumeBool()); ndpi_get_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP); ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_IMAP, fuzzed_data.ConsumeBool()); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 5f2d980c594..cd2292e66cb 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -74,9 +74,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 0 /* unused */); - ndpi_set_monitoring_state(workflow->ndpi_struct, NDPI_PROTOCOL_STUN, - 10, NDPI_MONITORING_STUN_SUBCLASSIFIED); - memset(workflow->stats.protocol_counter, 0, sizeof(workflow->stats.protocol_counter)); memset(workflow->stats.protocol_counter_bytes, 0, diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 9c634f2a698..64d183ef6a5 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1099,12 +1099,6 @@ extern "C" { u_int32_t ndpi_get_protocol_aggressiveness(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t proto); - int ndpi_set_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t proto, u_int32_t num_pkts, u_int32_t flags); - int ndpi_get_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t proto, u_int32_t *num_pkts, u_int32_t *flags); - - /** * Find a protocol id associated with a string automata * diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index e7338b0fc9c..d7c4537aa49 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -753,12 +753,6 @@ struct ndpi_lru_cache { /* Ookla */ #define NDPI_AGGRESSIVENESS_OOKLA_TLS 0x01 /* Enable detection over TLS (using ookla cache) */ - -/* Monitoring flags */ - -/* Stun */ -#define NDPI_MONITORING_STUN_SUBCLASSIFIED 0x01 /* Monitor STUN flows even if we have a valid sub-protocol */ - /* ************************************************** */ struct ndpi_flow_tcp_struct { diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 02db29a68ca..6eafa598b1a 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3387,9 +3387,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->opportunistic_tls_ftp_enabled = 1; ndpi_str->opportunistic_tls_stun_enabled = 1; - ndpi_str->monitoring_stun_pkts_to_process = 4; - ndpi_str->monitoring_stun_flags = 0; - ndpi_str->aggressiveness_ookla = NDPI_AGGRESSIVENESS_OOKLA_TLS; if(prefs & ndpi_enable_tcp_ack_payload_heuristic) @@ -10430,42 +10427,6 @@ int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow) /* ******************************************************************** */ -int ndpi_set_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t proto, u_int32_t num_pkts, u_int32_t flags) -{ - if(!ndpi_struct || num_pkts > 0xFFFF) - return -1; - - switch(proto) { - case NDPI_PROTOCOL_STUN: - ndpi_struct->monitoring_stun_pkts_to_process = num_pkts; - ndpi_struct->monitoring_stun_flags = flags; - return 0; - default: - return -1; - } -} - -/* ******************************************************************** */ - -int ndpi_get_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t proto, u_int32_t *num_pkts, u_int32_t *flags) -{ - if(!ndpi_struct || !num_pkts || !flags) - return -1; - - switch(proto) { - case NDPI_PROTOCOL_STUN: - *num_pkts = ndpi_struct->monitoring_stun_pkts_to_process; - *flags = ndpi_struct->monitoring_stun_flags; - return 0; - default: - return -1; - } -} - -/* ******************************************************************** */ - int ndpi_set_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t proto, int value) { diff --git a/src/lib/ndpi_private.h b/src/lib/ndpi_private.h index e45a0aabefe..148b4b9ebe7 100644 --- a/src/lib/ndpi_private.h +++ b/src/lib/ndpi_private.h @@ -253,9 +253,6 @@ struct ndpi_detection_module_struct { int opportunistic_tls_ftp_enabled; int opportunistic_tls_stun_enabled; - u_int32_t monitoring_stun_pkts_to_process; - u_int32_t monitoring_stun_flags; - u_int32_t aggressiveness_ookla; int tcp_ack_paylod_heuristic; diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index b3d83da8cde..74dfc829bcb 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -345,9 +345,8 @@ static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struc /* We have a sub-classification */ - if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) && - flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP) - return 1; + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RTP) + return 0; /* Looking for XOR-PEER-ADDRESS metadata; TODO: other protocols? */ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) @@ -614,25 +613,22 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, __get_master(flow), confidence); } - /* This is quite complex. We want extra dissection for: + /* We want extra dissection for: * sub-classification - * metadata extraction in general - * Telegram: we need more packets to find all XOR-PEER-ADDRESS attributes - * monitoring, i.e. looking for RTP - And all these cases might overlap... + * metadata extraction or looking for RTP + The latter is enabled only without sub-classification or for Telegram + (to find all XOR-PEER-ADDRESS attributes) */ if(!flow->extra_packets_func) { if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */ || - flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */ || - (ndpi_struct->monitoring_stun_pkts_to_process > 0 && - (ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED))) { + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */) { NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) { flow->max_extra_packets_to_check = 10; /* Looking for metadata. There are no really RTP packets in Telegram flows, so no need to enable monitoring for them */ } else { - flow->max_extra_packets_to_check = ndpi_max(4, ndpi_struct->monitoring_stun_pkts_to_process); + flow->max_extra_packets_to_check = 4; flow->extra_packets_func = stun_search_again; } } diff --git a/tests/cfgs/disable_stun_monitoring/config.txt b/tests/cfgs/disable_stun_monitoring/config.txt deleted file mode 100644 index 828d83cd4ca..00000000000 --- a/tests/cfgs/disable_stun_monitoring/config.txt +++ /dev/null @@ -1 +0,0 @@ ---stun-monitoring=0:0 diff --git a/tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng b/tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng deleted file mode 120000 index 56b131a341f..00000000000 --- a/tests/cfgs/disable_stun_monitoring/pcap/lru_ipv6_caches.pcapng +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/lru_ipv6_caches.pcapng \ No newline at end of file diff --git a/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out deleted file mode 100644 index 19e22069d5c..00000000000 --- a/tests/cfgs/disable_stun_monitoring/result/lru_ipv6_caches.pcapng.out +++ /dev/null @@ -1,48 +0,0 @@ -Guessed flow protos: 3 - -DPI Packets (TCP): 9 (3.00 pkts/flow) -DPI Packets (UDP): 36 (4.00 pkts/flow) -Confidence DPI (cache) : 6 (flows) -Confidence DPI : 6 (flows) -Num dissector calls: 776 (64.67 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 25/12/4 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 6/8/0 (insert/search/found) -LRU cache tls_cert: 1/3/2 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 9/0 (search/found) -Automa domain: 9/0 (search/found) -Automa tls cert: 1/1 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 3/3 (search/found) -Patricia risk mask: 0/0 (search/found) -Patricia risk mask IPv6: 22/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 12/0 (search/found) -Patricia protocols: 0/0 (search/found) -Patricia protocols IPv6: 24/0 (search/found) - -BitTorrent 25 4546 5 -WhatsAppCall 24 3996 3 -STUN 30 3450 1 -Cloudflare 9 8862 3 - -JA3 Host Stats: - IP Address # JA3C - - - 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 12][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] - 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] - 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] - 5 UDP [2a2f:8509:1cb2:466d:ecbf:69d6:109c:608]:62229 -> [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 8][cat: Download/7][9 pkts/2397 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][9.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1249/0 8358/0 2694/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 266/0 610/0 243/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 44,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP [3069:c624:1d42:9469:98b1:67ff:fe43:325]:56131 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1958 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][2.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/0 236/0 1183/0 350/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 178/0 214/0 41/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BHBeRjaHJ)][Plen Bins: 9,0,18,0,72,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP [2118:ec33:112b:7908:2c80:27ff:fef7:d71f]:48415 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1742 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][2.97 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 279/0 1388/0 400/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 158/0 214/0 51/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (NGuJOnsW)][Plen Bins: 18,0,36,0,45,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27]:60506 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 8][cat: Download/7][11 pkts/1319 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][6.03 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 670/0 2769/0 758/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 120/0 431/0 99/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 72,18,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][8.49 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [38b2:46b7:27a4:94c3:c134:948:e069:d71f]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][20.08 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 11 UDP [3297:a1af:5121:cfc:360b:2e07:872f:1ea0]:43865 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][0.26 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BZ9/sp6)][Plen Bins: 50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: Download/7][1 pkts/166 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/config.txt b/tests/cfgs/enable_stun_monitoring_with_subproto/config.txt deleted file mode 100644 index 1dfcde8ad7f..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/config.txt +++ /dev/null @@ -1 +0,0 @@ ---stun-monitoring=20:1 diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng deleted file mode 120000 index d30bde120b2..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/stun_dtls_rtp.pcapng \ No newline at end of file diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng b/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng deleted file mode 120000 index b7223bfd00e..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/stun_dtls_rtp_unidir.pcapng \ No newline at end of file diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap b/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap deleted file mode 120000 index 5e8affbfb1a..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/pcap/wa_voice.pcap +++ /dev/null @@ -1 +0,0 @@ -../../default/pcap/wa_voice.pcap \ No newline at end of file diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out deleted file mode 100644 index 81789052113..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp.pcapng.out +++ /dev/null @@ -1,33 +0,0 @@ -Guessed flow protos: 0 - -DPI Packets (UDP): 25 (25.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 6 (6.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 2/0/0 (insert/search/found) -LRU cache tls_cert: 1/2/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) -Automa domain: 0/0 (search/found) -Automa tls cert: 1/1 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 1/1 (search/found) -Patricia protocols IPv6: 0/0 (search/found) - -GoogleHangoutDuo 39 8413 1 - -JA3 Host Stats: - IP Address # JA3C - 1 192.168.12.156 1 - - - 1 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.201/DTLS.GoogleHangoutDuo][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 25][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 210][Risk Info: No ALPN / CN=hangouts][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out deleted file mode 100644 index a0ff564d9f4..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/stun_dtls_rtp_unidir.pcapng.out +++ /dev/null @@ -1,34 +0,0 @@ -Guessed flow protos: 0 - -DPI Packets (UDP): 36 (18.00 pkts/flow) -Confidence DPI : 2 (flows) -Num dissector calls: 12 (6.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 32/88/0 (insert/search/found) -LRU cache tls_cert: 0/5/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) -Automa domain: 0/0 (search/found) -Automa tls cert: 1/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 0/0 (search/found) -Patricia risk mask: 4/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 4/0 (search/found) -Patricia protocols IPv6: 0/0 (search/found) - -RTP 43 10358 2 - -JA3 Host Stats: - IP Address # JA3C - 1 10.10.0.1 1 - - - 1 UDP 10.1.0.3:5853 -> 10.10.0.1:2808 [proto: 30.87/DTLS.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 15][cat: Network/14][18 pkts/5384 bytes -> 0 pkts/0 bytes][Goodput ratio: 86/0][7.17 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 386/0 4001/0 979/0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 299/0 750/0 221/0][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **][Risk Score: 150][Risk Info: CN=8][DTLSv1.0][JA3S: 1cfcbe58451407e23669f1dd08565519][Issuer: CN=8][Subject: CN=8][Certificate SHA-1: 94:8C:6F:C3:00:6A:A1:63:F1:52:7E:7F:1F:A7:93:90:46:3B:B1:2D][Validity: 2015-12-10 05:41:43 - 2016-01-10 05:41:43][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (Coturn)][Plen Bins: 0,5,5,5,34,22,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 10.10.0.1:65226 -> 10.1.0.3:57730 [proto: 30.87/DTLS.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 21][cat: Network/14][25 pkts/4974 bytes -> 0 pkts/0 bytes][Goodput ratio: 79/0][7.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/0 4001/0 904/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 199/0 478/0 92/0][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 110][Risk Info: No ALPN][DTLSv1.0][JA3C: fd8faf73d274d5614a51dae82304be0a][PLAIN TEXT (username1)][Plen Bins: 0,8,16,16,32,0,4,8,0,12,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out deleted file mode 100644 index ee7f07b1539..00000000000 --- a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out +++ /dev/null @@ -1,80 +0,0 @@ -Guessed flow protos: 8 - -DPI Packets (TCP): 20 (3.33 pkts/flow) -DPI Packets (UDP): 102 (4.86 pkts/flow) -DPI Packets (other): 1 (1.00 pkts/flow) -Confidence Unknown : 1 (flows) -Confidence DPI (cache) : 1 (flows) -Confidence DPI : 26 (flows) -Num dissector calls: 387 (13.82 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/3/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 14/3/2 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/1/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 20/10 (search/found) -Automa domain: 20/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 4/0 (search/found) -Automa common alpns: 14/14 (search/found) -Patricia risk mask: 28/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 1/0 (search/found) -Patricia risk IPv6: 1/0 (search/found) -Patricia protocols: 44/10 (search/found) -Patricia protocols IPv6: 2/0 (search/found) - -Unknown 2 120 1 -MDNS 10 1188 2 -SSDP 8 1365 5 -DHCP 5 1710 1 -WhatsAppCall 48 5768 5 -ICMP 4 280 1 -RTP 213 37951 2 -TLS 8 542 1 -Dropbox 4 1528 1 -Google 2 164 1 -WhatsApp 352 86475 4 -Spotify 2 172 1 -ApplePush 24 8007 1 -WhatsAppFiles 52 24946 2 - -JA3 Host Stats: - IP Address # JA3C - 1 192.168.2.12 2 - - - 1 TCP 192.168.2.12:50504 <-> 157.240.20.52:443 [proto: 91.142/TLS.WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][41 pkts/3669 bytes <-> 44 pkts/43871 bytes][Goodput ratio: 27/93][0.41 sec][Hostname/SNI: pps.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.846 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/8 129/77 24/19][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 89/997 583/1454 85/624][TLSv1.3][JA3C: 7a7a639628f0fe5c7e057628a5bbec5a][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 8,11,4,0,0,2,2,0,2,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,61,0,0,0,0] - 2 TCP 192.168.2.12:49355 <-> 157.240.20.53:5222 [proto: 142/WhatsApp][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 4][cat: Chat/9][132 pkts/14116 bytes <-> 131 pkts/24439 bytes][Goodput ratio: 38/65][54.73 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 342/421 9349/9387 1279/1420][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/187 393/1454 62/283][PLAIN TEXT (fd.9LTIP9)][Plen Bins: 1,63,2,3,10,10,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0] - 3 UDP 91.252.56.51:32704 <-> 192.168.2.12:56328 [proto: 45.87/WhatsAppCall.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: VoIP/10][87 pkts/14598 bytes <-> 77 pkts/17336 bytes][Goodput ratio: 75/81][11.91 sec][bytes ratio: -0.086 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 136/121 921/265 137/64][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 168/225 318/331 61/68][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (KEXQD/)][Plen Bins: 6,4,7,27,16,4,11,12,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 192.168.2.12:50503 <-> 31.13.86.51:443 [proto: 91.242/TLS.WhatsAppFiles][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Download/7][25 pkts/2993 bytes <-> 25 pkts/21759 bytes][Goodput ratio: 44/92][0.39 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.758 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/10 127/126 28/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/870 583/1454 124/639][TLSv1.3][JA3C: b92a79ed03c3ff5611abb2305370d3e3][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 7,14,7,0,0,3,0,0,7,0,3,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,47,0,0,0,0] - 5 TCP 192.168.2.12:49354 <-> 17.242.60.84:5223 [proto: 238/ApplePush][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 1][cat: Cloud/13][14 pkts/6933 bytes <-> 10 pkts/1074 bytes][Goodput ratio: 87/39][54.11 sec][bytes ratio: 0.732 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4462/757 43773/5113 12515/1779][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 495/107 1506/215 607/44][Plen Bins: 0,42,14,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,21,0,0] - 6 UDP 192.168.2.12:56328 <-> 31.13.86.48:3478 [proto: 45.87/WhatsAppCall.RTP][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 21][cat: VoIP/10][21 pkts/2349 bytes <-> 28 pkts/3668 bytes][Goodput ratio: 62/68][34.51 sec][bytes ratio: -0.219 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1959/1447 12194/12196 2978/2626][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 112/131 249/326 64/101][Plen Bins: 40,20,0,20,0,0,8,4,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 7 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/1710 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][17.30 sec][Hostname/SNI: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 8 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][4 pkts/1528 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 9 UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 16][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 10 UDP 192.168.2.12:56328 <-> 157.240.193.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6151 22207/12302 9311/6151][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 11 UDP 192.168.2.12:56328 <-> 157.240.196.62:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6148 22207/12297 9311/6148][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 12 UDP 192.168.2.12:56328 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8626/6149 22207/12298 9311/6149][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 13 UDP 192.168.2.12:56328 <-> 185.60.216.51:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/840 bytes <-> 3 pkts/258 bytes][Goodput ratio: 75/51][34.51 sec][bytes ratio: 0.530 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 8626/6151 22207/12301 9311/6150][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168/86 168/86 0/0][Plen Bins: 0,37,0,62,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 14 UDP 192.168.2.12:64716 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][4 pkts/671 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][9.04 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 15 UDP [fe80::414:409d:8afd:9f05]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][5 pkts/644 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 16 UDP 192.168.2.12:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][5 pkts/544 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][32.02 sec][Hostname/SNI: _homekit._tcp.local][_homekit._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,80,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 17 TCP 17.171.47.85:443 <-> 192.168.2.12:50502 [proto: 91/TLS][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 1][cat: Web/5][4 pkts/271 bytes <-> 4 pkts/271 bytes][Goodput ratio: 11/11][0.28 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 94/0 278/0 130/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/68 97/97 18/18][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 18 ICMP 192.168.2.12:0 -> 91.252.56.51:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][4 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.92 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 19 UDP 192.168.2.12:55296 <-> 192.168.2.1:53 [proto: 5.242/DNS.WhatsAppFiles][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/105 bytes][Goodput ratio: 52/59][0.03 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][31.13.86.51][PLAIN TEXT (whatsapp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 20 UDP 192.168.2.12:60549 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/117 bytes][Goodput ratio: 44/64][0.04 sec][Hostname/SNI: pps.whatsapp.net][157.240.20.52][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 21 UDP 192.168.2.12:60765 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/113 bytes][Goodput ratio: 43/62][0.03 sec][Hostname/SNI: g.whatsapp.net][157.240.20.53][PLAIN TEXT (whatsapp)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 22 UDP 192.168.2.12:50191 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/179 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 23 UDP 192.168.2.12:57546 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/179 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 24 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Music/25][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.00 sec][PLAIN TEXT (KTSpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 25 UDP 169.254.162.244:50384 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 26 UDP 192.168.2.1:50384 -> 239.255.255.250:1900 [proto: 12/SSDP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][< 1 sec][Hostname/SNI: 239.255.255.250:1900][PLAIN TEXT (SEARCH )][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 27 UDP 192.168.2.12:51431 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/74 bytes <-> 1 pkts/90 bytes][Goodput ratio: 43/53][0.00 sec][Hostname/SNI: www.google.com][216.239.38.120][PLAIN TEXT (google)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - - -Undetected flows: - 1 TCP 192.168.2.12:49352 <-> 169.254.162.244:49159 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 2][1 pkts/54 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]