Skip to content

Commit eeb1c28

Browse files
lucaderilucaderi
committed
Fixed handling of spurious TCP retransmissions
1 parent a726c70 commit eeb1c28

File tree

14 files changed

+39
-39
lines changed

14 files changed

+39
-39
lines changed

src/include/ndpi_typedefs.h

+2-1
Original file line numberDiff line numberDiff line change
@@ -1245,7 +1245,8 @@ struct ndpi_flow_struct {
12451245
tcp sequence number connection tracking
12461246
*/
12471247
u_int32_t next_tcp_seq_nr[2];
1248-
1248+
u_int16_t last_tcp_pkt_payload_len;
1249+
12491250
/* Flow addresses (useful for LRU lookups in ndpi_detection_giveup())
12501251
and ports. All in *network* byte order.
12511252
Client and server.

src/lib/ndpi_main.c

+4-1
Original file line numberDiff line numberDiff line change
@@ -7131,7 +7131,8 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s
71317131
/* check tcp sequence counters */
71327132
if(((u_int32_t)(ntohl(tcph->seq) - flow->next_tcp_seq_nr[packet->packet_direction])) >
71337133
ndpi_str->tcp_max_retransmission_window_size) {
7134-
packet->tcp_retransmission = 1;
7134+
if(flow->last_tcp_pkt_payload_len > 0)
7135+
packet->tcp_retransmission = 1;
71357136

71367137
/* CHECK IF PARTIAL RETRY IS HAPPENING */
71377138
if((flow->next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq) <
@@ -7149,6 +7150,8 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s
71497150
flow->next_tcp_seq_nr[0] = 0;
71507151
flow->next_tcp_seq_nr[1] = 0;
71517152
}
7153+
7154+
flow->last_tcp_pkt_payload_len = packet->payload_packet_len;
71527155
} else if(udph != NULL) {
71537156
if(ndpi_str->cfg.direction_detect_enabled &&
71547157
(udph->source != udph->dest))

tests/cfgs/default/result/1kxun.pcap.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ DPI Packets (UDP): 120 (1.21 pkts/flow)
55
Confidence Unknown : 14 (flows)
66
Confidence Match by port : 6 (flows)
77
Confidence DPI : 177 (flows)
8-
Num dissector calls: 5004 (25.40 diss/flow)
8+
Num dissector calls: 5024 (25.50 diss/flow)
99
LRU cache ookla: 0/0/0 (insert/search/found)
1010
LRU cache bittorrent: 0/60/0 (insert/search/found)
1111
LRU cache stun: 0/0/0 (insert/search/found)

tests/cfgs/default/result/KakaoTalk_talk.pcap.out

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
Guessed flow protos: 9
22

3-
DPI Packets (TCP): 71 (4.73 pkts/flow)
3+
DPI Packets (TCP): 67 (4.47 pkts/flow)
44
DPI Packets (UDP): 10 (2.00 pkts/flow)
55
Confidence Match by port : 8 (flows)
66
Confidence DPI : 11 (flows)
@@ -51,7 +51,7 @@ JA3 Host Stats:
5151
5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91/TLS][IP: 119/Facebook][Encrypted][Confidence: DPI][FPC: 119/Facebook, Confidence: IP address][DPI packets: 7][cat: Web/5][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 71/27][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 141/117 494/295 163/92][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195/78 735/189 228/35][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious Fingerpint **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA4: t10d350200_1f24bcc5f17d_33a13ba74d1c][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 30,23,0,0,15,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5252
6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 194/KakaoTalk_Voice, Confidence: DPI][DPI packets: 1][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 69/69][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4203/4247 4716/5160 1131/719][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141/142 150/142 6/0][Plen Bins: 0,0,4,95,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5353
7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 194/KakaoTalk_Voice, Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 69/69][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266/3766 4903/4991 1245/1144][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140/140 142/142 6/6][Plen Bins: 0,0,9,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
54-
8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 15][cat: Chat/9][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Goodput ratio: 54/34][3.79 sec][Hostname/SNI: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406/439 2019/1166 732/515][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 140/87 665/262 199/71][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][Req Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 8080,3128][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
54+
8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 131.48/HTTP_Proxy.QQ][IP: 285/Tencent][ClearText][Confidence: DPI][FPC: 285/Tencent, Confidence: IP address][DPI packets: 11][cat: Download/7][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Goodput ratio: 54/34][3.79 sec][Hostname/SNI: hkminorshort.weixin.qq.com][bytes ratio: 0.294 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/51 406/439 2019/1166 732/515][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 140/87 665/262 199/71][URL: http://hkminorshort.weixin.qq.com/cgi-bin/micromsg-bin/rtkvreport][StatusCode: 200][Req Content-Type: application/octet-stream][Content-Type: application/octet-stream][User-Agent: MicroMessenger Client][Filename: micromsgresp.dat][Risk: ** Known Proto on Non Std Port **** Binary File/Data Transfer (Attempt) **][Risk Score: 100][Risk Info: Expected on port 8080,3128 / Found binary mime octet-stream][PLAIN TEXT (POST http)][Plen Bins: 0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5555
9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 11][cat: Web/5][6 pkts/543 bytes <-> 5 pkts/945 bytes][Goodput ratio: 25/64][24.77 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 77/47 4920/8061 17431/17434 6679/7163][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 90/189 130/504 24/164][Plen Bins: 16,51,0,16,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5656
10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Web/5][3 pkts/1044 bytes <-> 2 pkts/154 bytes][Goodput ratio: 84/27][51.90 sec][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 7.514 (Encrypted or Random?)][Plen Bins: 0,33,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5757
11 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 265/AmazonAWS][IP: 265/AmazonAWS][Encrypted][Confidence: Match by IP][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 4][cat: Cloud/13][2 pkts/225 bytes <-> 2 pkts/171 bytes][Goodput ratio: 39/20][0.46 sec][PLAIN TEXT (xiaomi.com)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

tests/cfgs/default/result/ftp.pcap.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
DPI Packets (TCP): 39 (13.00 pkts/flow)
22
Confidence Unknown : 1 (flows)
33
Confidence DPI : 2 (flows)
4-
Num dissector calls: 525 (175.00 diss/flow)
4+
Num dissector calls: 546 (182.00 diss/flow)
55
LRU cache ookla: 0/0/0 (insert/search/found)
66
LRU cache bittorrent: 0/3/0 (insert/search/found)
77
LRU cache stun: 0/0/0 (insert/search/found)

tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
Guessed flow protos: 28
22

3-
DPI Packets (TCP): 48 (2.29 pkts/flow)
3+
DPI Packets (TCP): 45 (2.14 pkts/flow)
44
DPI Packets (UDP): 369 (1.64 pkts/flow)
55
DPI Packets (other): 5 (1.00 pkts/flow)
66
Confidence Unknown : 34 (flows)
77
Confidence Match by port : 28 (flows)
88
Confidence DPI : 189 (flows)
9-
Num dissector calls: 7833 (31.21 diss/flow)
9+
Num dissector calls: 7837 (31.22 diss/flow)
1010
LRU cache ookla: 0/0/0 (insert/search/found)
1111
LRU cache bittorrent: 0/192/0 (insert/search/found)
1212
LRU cache stun: 0/0/0 (insert/search/found)
@@ -44,7 +44,7 @@ Unrated 34 4212 34
4444
1 UDP 212.242.33.35:5060 <-> 192.168.1.2:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 100/SIP, Confidence: DPI][DPI packets: 1][cat: VoIP/10][23 pkts/11772 bytes <-> 37 pkts/14743 bytes][Goodput ratio: 91/89][1521.43 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/227 32597/38366 167478/304738 41340/57147][Pkt Len c2s/s2c min/avg/max/stddev: 344/47 512/398 711/1118 86/358][PLAIN TEXT (SIP/2.0 401 Unauthorized)][Plen Bins: 29,0,0,0,0,0,0,0,0,3,6,0,3,6,8,13,1,0,3,0,1,15,0,0,0,5,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4545
2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: VoIP/10][9 pkts/4647 bytes <-> 3 pkts/1944 bytes][Goodput ratio: 92/93][66.58 sec][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 507/34556 8170/34556 32608/34556 10578/0][Pkt Len c2s/s2c min/avg/max/stddev: 417/637 516/648 864/656 186/8][PLAIN TEXT (INVITEKsip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,59,0,0,0,0,0,0,8,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4646
3 UDP 192.168.1.2:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][71 pkts/6532 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1527.12 sec][Hostname/SNI: eci_domain][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 741/0 20522/0 93225/0 24163/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EFEDEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
47-
4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 25][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Hostname/SNI: proftpd][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
47+
4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 22][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Hostname/SNI: proftpd][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4848
5 UDP 192.168.1.2:5060 -> 212.242.33.35:17860 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: VoIP/10][1 pkts/1118 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (INVITE six)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4949
6 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][5 pkts/1070 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.05 sec][PLAIN TEXT (goxcffj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5050
7 UDP 192.168.1.2:68 <-> 192.168.1.1:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 18/DHCP, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/342 bytes <-> 1 pkts/590 bytes][Goodput ratio: 87/93][0.00 sec][Hostname/SNI: d002465][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,43][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (002465Q)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out

+10-10
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
1-
Guessed flow protos: 26
1+
Guessed flow protos: 25
22

3-
DPI Packets (TCP): 104 (2.67 pkts/flow)
3+
DPI Packets (TCP): 103 (2.64 pkts/flow)
44
DPI Packets (other): 1 (1.00 pkts/flow)
55
Confidence Unknown : 3 (flows)
6-
Confidence Match by port : 26 (flows)
7-
Confidence DPI : 11 (flows)
8-
Num dissector calls: 1167 (29.17 diss/flow)
6+
Confidence Match by port : 25 (flows)
7+
Confidence DPI : 12 (flows)
8+
Num dissector calls: 1194 (29.85 diss/flow)
99
LRU cache ookla: 0/0/0 (insert/search/found)
10-
LRU cache bittorrent: 0/87/0 (insert/search/found)
10+
LRU cache bittorrent: 0/84/0 (insert/search/found)
1111
LRU cache stun: 0/0/0 (insert/search/found)
1212
LRU cache tls_cert: 0/0/0 (insert/search/found)
13-
LRU cache mining: 0/29/0 (insert/search/found)
13+
LRU cache mining: 0/28/0 (insert/search/found)
1414
LRU cache msteams: 0/0/0 (insert/search/found)
1515
LRU cache fpc_dns: 0/31/0 (insert/search/found)
16-
Automa host: 4/0 (search/found)
17-
Automa domain: 4/0 (search/found)
16+
Automa host: 5/0 (search/found)
17+
Automa domain: 5/0 (search/found)
1818
Automa tls cert: 0/0 (search/found)
1919
Automa risk mask: 0/0 (search/found)
2020
Automa common alpns: 0/0 (search/found)
@@ -34,7 +34,7 @@ Unrated 3 655 3
3434
1 TCP 172.20.3.5:2601 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 13][cat: Web/5][9 pkts/6343 bytes <-> 4 pkts/409 bytes][Goodput ratio: 92/46][11.25 sec][bytes ratio: 0.879 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/104 67/128 469/152 164/24][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 705/102 1514/243 721/81][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 7.527 (Encrypted or Random?)][PLAIN TEXT (POST /servlets/mms HTTP/1.1)][Plen Bins: 16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,67,0,0]
3535
2 TCP 172.20.3.5:2606 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][8 pkts/2287 bytes <-> 5 pkts/2963 bytes][Goodput ratio: 80/91][11.18 sec][Hostname/SNI: 172.20.3.13][bytes ratio: -0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/58 177/172 83/81][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 286/593 1514/1514 478/662][URL: 172.20.3.13/servlets/mms?message-id=189301][Risk: ** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 110][Risk Info: Found host 172.20.3.13 / Empty or missing User-Agent][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,50,0,0]
3636
3 TCP 172.20.3.5:2604 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][5 pkts/1754 bytes <-> 4 pkts/583 bytes][Goodput ratio: 83/62][11.17 sec][Hostname/SNI: 172.20.3.13][bytes ratio: 0.501 (Upload)][IAT c2s/s2c min/avg/max/stddev: 307/81 2793/3724 10864/10997 4662/5143][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 351/146 1514/417 582/157][URL: 172.20.3.13/servlets/mms?message-id=189001][StatusCode: 200][Server: Resin/2.0.1][User-Agent: SonyEricssonT68/R201A][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 172.20.3.13][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
37-
4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 13][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
37+
4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 12][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Hostname/SNI: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-Text Credentials **** Non-Printable/Invalid Chars Detected **** Possible Exploit Attempt **][Risk Score: 350][Risk Info: Found credentials in HTTP Auth Line / Invalid host %s / Suspicious hostname: attack ?][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3838
5 TCP 172.20.3.5:2602 <-> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 3][cat: Web/5][4 pkts/942 bytes <-> 4 pkts/703 bytes][Goodput ratio: 75/69][11.10 sec][Hostname/SNI: 172.20.3.13][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/106 3699/5548 10844/10989 5054/5442][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 236/176 762/541 304/211][URL: 172.20.3.13.servlets/mms][StatusCode: 200][Req Content-Type: application/xml][Content-Type: application/xml][Server: Resin/2.0.1][Risk: ** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 110][Risk Info: Found host 172.20.3.13 / Empty or missing User-Agent][PLAIN TEXT (POST .servlets/mms HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3939
6 TCP 172.20.3.13:53136 <-> 172.20.3.5:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Web/5][5 pkts/586 bytes <-> 6 pkts/999 bytes][Goodput ratio: 54/66][5.21 sec][Hostname/SNI: 172.20.3.5][bytes ratio: -0.261 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/96 1737/1302 4910/5010 2247/2141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 117/166 370/481 126/150][StatusCode: 100][Req Content-Type: multipart/related][Server: Microsoft-IIS/4.0][User-Agent: MMS-Relay-DeliveryInitiator][PLAIN TEXT (POST /ppgctrl/ppgcon)][Plen Bins: 0,0,25,0,25,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4040
7 TCP 172.20.3.5:9587 -> 172.20.3.13:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 7/HTTP, Confidence: DPI][DPI packets: 1][cat: Web/5][1 pkts/1514 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Risk: ** HTTP Susp User-Agent **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No server to client traffic / Empty or missing User-Agent][PLAIN TEXT (POST /servlets/mms HTTP/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]

tests/cfgs/default/result/google_ssl.pcap.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ Guessed flow protos: 1
22

33
DPI Packets (TCP): 24 (24.00 pkts/flow)
44
Confidence Match by port : 1 (flows)
5-
Num dissector calls: 205 (205.00 diss/flow)
5+
Num dissector calls: 239 (239.00 diss/flow)
66
LRU cache ookla: 0/0/0 (insert/search/found)
77
LRU cache bittorrent: 0/3/0 (insert/search/found)
88
LRU cache stun: 0/0/0 (insert/search/found)

0 commit comments

Comments
 (0)