Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

STUN: improve demultiplexing of DTLS packets #2153

Merged
merged 1 commit into from
Nov 27, 2023
Merged

STUN: improve demultiplexing of DTLS packets #2153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions src/lib/ndpi_main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9868,15 +9868,10 @@ int ndpi_get_lru_cache_ttl(struct ndpi_detection_module_struct *ndpi_struct,
*/
u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow) {
#ifdef NDPI_ENABLE_DEBUG_MESSAGES
u_int16_t proto =
flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0];

NDPI_LOG_DBG2(ndpi_str, "[DEBUG] %s(%u.%u): %u\n", __FUNCTION__,
NDPI_LOG_DBG2(ndpi_str, "Protos (%u.%u): %d\n",
flow->detected_protocol_stack[0],
flow->detected_protocol_stack[1],
proto);
#endif
!!flow->extra_packets_func);

if(!flow->extra_packets_func)
return(0);
Expand Down
2 changes: 1 addition & 1 deletion src/lib/ndpi_private.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
struct ndpi_flow_struct *flow,
u_int16_t p_offset, u_int16_t certificate_len);
void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
struct ndpi_flow_struct *flow, int first_dtls_pkt);
int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len);
void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
Expand Down
81 changes: 61 additions & 20 deletions src/lib/protocols/stun.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,15 @@ static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struc
return 0;
}

static u_int32_t __get_master(struct ndpi_flow_struct *flow) {

if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)
return flow->detected_protocol_stack[1];
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
return flow->detected_protocol_stack[0];
return NDPI_PROTOCOL_STUN;
}

static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
Expand All @@ -343,6 +352,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t first_byte;
u_int16_t app_proto = NDPI_PROTOCOL_UNKNOWN;
u_int32_t unused;
int first_dtls_pkt = 0;

NDPI_LOG_DBG2(ndpi_struct, "Packet counter %d protos %d/%d\n", flow->packet_counter,
flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
Expand Down Expand Up @@ -370,24 +380,50 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG(ndpi_struct, "DROP or ZRTP range. Unexpected\n");
} else if(first_byte <= 63) {
NDPI_LOG_DBG(ndpi_struct, "DTLS\n");
if(is_dtls(packet->payload, packet->payload_packet_len, &unused) &&
flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No previous subclassification */) {

if(ndpi_struct->opportunistic_tls_stun_enabled &&
is_dtls(packet->payload, packet->payload_packet_len, &unused)) {

/* Process this DTLS packet via TLS/DTLS code but keep using STUN dissection.
This way we can keep demultiplexing DTLS/STUN/RTP */

/* Switching to TLS dissector is tricky, because we are calling one dissector
from another one, and that is not a common operation...
Additionally:
* at that point protocol stack is already set to STUN
* at that point protocol stack is already set to STUN or STUN/XXX
* we have room for only two protocols in flow->detected_protocol_stack[] so
we can't have something like STUN/DTLS/SNAPCHAT_CALL
* the easiest (!?) solution is to remove STUN, and let TLS dissector to set both
master (i.e. DTLS) and subprotocol (if any) */
if(ndpi_struct->opportunistic_tls_stun_enabled) {
/* TODO: right way? It is a bit scary... do we need to reset something else too? */
ndpi_reset_detected_protocol(ndpi_struct, flow);
ndpi_int_change_category(ndpi_struct, flow, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED);

flow->stun.maybe_dtls = 1;
NDPI_LOG_DBG(ndpi_struct, "Switch to TLS\n");
switch_to_tls(ndpi_struct, flow);
* the easiest (!?) solution is to remove everything, and let the TLS dissector
to set both master (i.e. DTLS) and subprotocol (if any) */

if(packet->tcp) {
/* TODO: TLS code assumes that DTLS is only over UDP */
NDPI_LOG_DBG(ndpi_struct, "Ignoring DTLS over TCP\n");
} else {
if(flow->tls_quic.certificate_processed == 1) {
NDPI_LOG_DBG(ndpi_struct, "Interesting DTLS stuff already processed. Ignoring\n");
} else {
if(flow->stun.maybe_dtls == 0) {
/* First DTLS packet of the flow */
first_dtls_pkt = 1;

/* TODO: right way? It is a bit scary... do we need to reset something else too? */
ndpi_reset_detected_protocol(ndpi_struct, flow);
ndpi_int_change_category(ndpi_struct, flow, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED);

/* Give room for DTLS handshake, where we might have
retransmissions and fragments */
flow->max_extra_packets_to_check += 10;
flow->stun.maybe_dtls = 1;
}
NDPI_LOG_DBG(ndpi_struct, "Switch to TLS (%d/%d)\n",
flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);

switch_to_tls(ndpi_struct, flow, first_dtls_pkt);

NDPI_LOG_DBG(ndpi_struct, "(%d/%d)\n",
flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
}
}
}
} else if(first_byte <= 127) {
Expand All @@ -402,14 +438,19 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_type);

if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) {
/* STUN/SUBPROTO -> SUBPROTO/RTP */
ndpi_set_detected_protocol(ndpi_struct, flow,
NDPI_PROTOCOL_RTP, flow->detected_protocol_stack[0],
NDPI_CONFIDENCE_DPI);
if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DTLS) {
/* Keep DTLS/SUBPROTO since we already wrote to flow->protos.tls_quic */
} else {
/* STUN/SUBPROTO -> SUBPROTO/RTP */
ndpi_set_detected_protocol(ndpi_struct, flow,
NDPI_PROTOCOL_RTP, flow->detected_protocol_stack[0],
NDPI_CONFIDENCE_DPI);
}
} else {
/* STUN -> STUN/RTP */
/* STUN -> STUN/RTP, or
DTLS -> DTLS/RTP */
ndpi_set_detected_protocol(ndpi_struct, flow,
NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_STUN,
NDPI_PROTOCOL_RTP, __get_master(flow),
NDPI_CONFIDENCE_DPI);
}
return 0; /* Stop */
Expand Down Expand Up @@ -522,7 +563,7 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN ||
app_proto != NDPI_PROTOCOL_UNKNOWN) {
NDPI_LOG_DBG(ndpi_struct, "Setting %d\n", app_proto);
ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, NDPI_PROTOCOL_STUN, confidence);
ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, __get_master(flow), confidence);
}

/* This is quite complex. We want extra dissection for:
Expand Down
37 changes: 14 additions & 23 deletions src/lib/protocols/tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1231,18 +1231,6 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
const u_int8_t *block = (const u_int8_t *)&p[processed];

if(!is_dtls(block, p_len, &block_len)) {
if(processed == 0 && /* First block */
flow->stun.maybe_dtls == 1) {
/* Sometimes STUN packets are interleaved with TLS ones. Ignore STUN ones
since we already are after STUN dissection and we are interested only on
TLS stuff right now */
#ifdef DEBUG_TLS
printf("Probably a stun packet. Keep going with TLS on next packets\n");
#endif
/* Note that we can immediately "return" because, being the first block,
we don't need to restore packet->payload and packet->payload_packet_len */
return(1); /* Keep working */
}
no_dtls = 1;
break;
}
Expand Down Expand Up @@ -1332,6 +1320,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
#endif
change_cipher_found = 1;
processed += block_len + 13;
flow->tls_quic.certificate_processed = 1; /* Fake, to avoid extra dissection */
break;
} else {
#ifdef DEBUG_TLS
Expand Down Expand Up @@ -1359,7 +1348,6 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,

if(no_dtls || change_cipher_found || flow->tls_quic.certificate_processed) {
NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_DTLS);
flow->extra_packets_func = NULL;
return(0); /* That's all */
} else {
return(1); /* Keep working */
Expand Down Expand Up @@ -1401,19 +1389,21 @@ void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_st
/* **************************************** */

void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
struct ndpi_flow_struct *flow, int first_time)
{
#ifdef DEBUG_TLS
printf("Switching to TLS\n");
#endif

/* Reset reassemblers */
if(flow->tls_quic.message[0].buffer)
ndpi_free(flow->tls_quic.message[0].buffer);
memset(&flow->tls_quic.message[0], '\0', sizeof(flow->tls_quic.message[0]));
if(flow->tls_quic.message[1].buffer)
ndpi_free(flow->tls_quic.message[1].buffer);
memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1]));
if(first_time) {
/* Reset reassemblers */
if(flow->tls_quic.message[0].buffer)
ndpi_free(flow->tls_quic.message[0].buffer);
memset(&flow->tls_quic.message[0], '\0', sizeof(flow->tls_quic.message[0]));
if(flow->tls_quic.message[1].buffer)
ndpi_free(flow->tls_quic.message[1].buffer);
memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1]));
}

ndpi_search_tls_wrapper(ndpi_struct, flow);
}
Expand Down Expand Up @@ -1498,8 +1488,9 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
protocol = __get_master(ndpi_struct, flow);

ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol, NDPI_CONFIDENCE_DPI);

tlsInitExtraPacketProcessing(ndpi_struct, flow);
/* We don't want to ovewrite STUN extra dissection, if enabled */
if(!flow->extra_packets_func)
tlsInitExtraPacketProcessing(ndpi_struct, flow);
}

/* **************************************** */
Expand Down
Binary file added tests/cfgs/default/pcap/stun_dtls_rtp.pcapng
View file
Open in desktop
Binary file not shown.
Binary file added tests/cfgs/default/pcap/stun_dtls_rtp_unidir.pcapng
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/dtls_certificate.pcapng.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Guessed flow protos: 0
Guessed flow protos: 1

DPI Packets (UDP): 1 (1.00 pkts/flow)
Confidence DPI : 1 (flows)
Expand Down
28 changes: 28 additions & 0 deletions tests/cfgs/default/result/stun_dtls_rtp.pcapng.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
Guessed flow protos: 0

DPI Packets (UDP): 1 (1.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 6 (6.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 2/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache stun_zoom: 0/0/0 (insert/search/found)
Automa host: 0/0 (search/found)
Automa domain: 0/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 1/1 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

GoogleHangoutDuo 39 8413 1

1 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
29 changes: 29 additions & 0 deletions tests/cfgs/default/result/stun_dtls_rtp_unidir.pcapng.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
Guessed flow protos: 0

DPI Packets (UDP): 10 (5.00 pkts/flow)
Confidence DPI : 2 (flows)
Num dissector calls: 12 (6.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 6/20/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache stun_zoom: 0/0/0 (insert/search/found)
Automa host: 0/0 (search/found)
Automa domain: 0/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 4/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 4/0 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

STUN 43 10358 2

1 UDP 10.1.0.3:5853 -> 10.10.0.1:2808 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][18 pkts/5384 bytes -> 0 pkts/0 bytes][Goodput ratio: 86/0][7.17 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 386/0 4001/0 979/0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 299/0 750/0 221/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (Coturn)][Plen Bins: 0,5,5,5,34,22,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 UDP 10.10.0.1:65226 -> 10.1.0.3:57730 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][25 pkts/4974 bytes -> 0 pkts/0 bytes][Goodput ratio: 79/0][7.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/0 4001/0 904/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 199/0 478/0 92/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (username1)][Plen Bins: 0,8,16,16,32,0,4,8,0,12,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 changes: 4 additions & 4 deletions tests/cfgs/default/result/stun_dtls_unidirectional_client.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
Guessed flow protos: 0
Guessed flow protos: 1

DPI Packets (UDP): 4 (4.00 pkts/flow)
DPI Packets (UDP): 6 (6.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 6 (6.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/4/0 (insert/search/found)
LRU cache stun: 0/8/0 (insert/search/found)
LRU cache tls_cert: 0/1/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
Expand All @@ -30,4 +30,4 @@ JA3 Host Stats:
1 26.83.9.81 1


1 UDP 26.83.9.81:57567 -> 33.35.223.103:540 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][6 pkts/1708 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][1.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 232/0 299/0 116/0][Pkt Len c2s/s2c min/avg/max/stddev: 106/0 285/0 873/0 267/0][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / No ALPN][DTLSv1.0][JA3C: f5eee7bc59657db39e2b9cdd401d78b7][PLAIN TEXT (ugPnBzE)][Plen Bins: 0,0,16,51,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 UDP 26.83.9.81:57567 -> 33.35.223.103:540 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][6 pkts/1708 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][1.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 232/0 299/0 116/0][Pkt Len c2s/s2c min/avg/max/stddev: 106/0 285/0 873/0 267/0][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 120][Risk Info: No server to client traffic / No ALPN][DTLSv1.0][JA3C: f5eee7bc59657db39e2b9cdd401d78b7][PLAIN TEXT (ugPnBzE)][Plen Bins: 0,0,16,51,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 changes: 4 additions & 4 deletions tests/cfgs/default/result/stun_dtls_unidirectional_server.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
Guessed flow protos: 0
Guessed flow protos: 1

DPI Packets (UDP): 3 (3.00 pkts/flow)
DPI Packets (UDP): 6 (6.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 6 (6.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/4/0 (insert/search/found)
LRU cache stun: 0/8/0 (insert/search/found)
LRU cache tls_cert: 0/1/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
Expand All @@ -29,4 +29,4 @@ JA3 Host Stats:
IP Address # JA3C


1 UDP 33.35.223.103:540 -> 26.83.9.81:57567 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][6 pkts/1563 bytes -> 0 pkts/0 bytes][Goodput ratio: 84/0][1.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/0 299/0 116/0][Pkt Len c2s/s2c min/avg/max/stddev: 106/0 260/0 958/0 312/0][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** Unidirectional Traffic **][Risk Score: 160][Risk Info: No client to server traffic / CN=LiveFoundry Inc.][DTLSv1.0][JA3S: 1974c5c625e99dc22d0477079a54aed3][Issuer: CN=LiveFoundry Inc.][Subject: CN=LiveFoundry Inc.][Certificate SHA-1: 23:F4:E7:42:93:22:91:BB:A3:54:70:97:94:2A:DE:AF:26:61:18:98][Validity: 2015-08-27 09:07:05 - 2016-08-27 09:07:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (LiveFoundry Inc.0)][Plen Bins: 0,0,67,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 UDP 33.35.223.103:540 -> 26.83.9.81:57567 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][6 pkts/1563 bytes -> 0 pkts/0 bytes][Goodput ratio: 84/0][1.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/0 299/0 116/0][Pkt Len c2s/s2c min/avg/max/stddev: 106/0 260/0 958/0 312/0][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** Unidirectional Traffic **][Risk Score: 160][Risk Info: No client to server traffic / CN=LiveFoundry Inc.][DTLSv1.0][JA3S: 1974c5c625e99dc22d0477079a54aed3][Issuer: CN=LiveFoundry Inc.][Subject: CN=LiveFoundry Inc.][Certificate SHA-1: 23:F4:E7:42:93:22:91:BB:A3:54:70:97:94:2A:DE:AF:26:61:18:98][Validity: 2015-08-27 09:07:05 - 2016-08-27 09:07:05][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (LiveFoundry Inc.0)][Plen Bins: 0,0,67,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/stun_zoom.pcapng.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Num dissector calls: 12 (6.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/18/0 (insert/search/found)
LRU cache stun: 0/24/0 (insert/search/found)
LRU cache tls_cert: 0/4/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
Expand Down
1 change: 1 addition & 0 deletions tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp.pcapng
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../default/pcap/stun_dtls_rtp.pcapng
1 change: 1 addition & 0 deletions tests/cfgs/enable_stun_monitoring_with_subproto/pcap/stun_dtls_rtp_unidir.pcapng
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../default/pcap/stun_dtls_rtp_unidir.pcapng
Loading
Loading