diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index 4987e2fa09b..99c105db29a 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -44,5 +44,6 @@ TODO | "http" | "process_response" | enable | NULL | NULL | Enable/disable processing of HTTP responses. By default, HTTP flows are usually fully classified after the first request/response pair. If this parameter is disabled, the flows are fully classified after the first request (or after the first response, if the request is missing); in that case, some flow risks are not checked and some metadata are not exported | | "ookla" | "dpi.aggressiveness", | 0x01 | 0x00 | 0x01 | Detection aggressiveness for Ookla. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable heuristic for detection over TLS (via Ookla LRU cache) | | "zoom" | "max_packets_extra_dissection" | 4 | 0 | 255 | After a flow has been classified has Zoom, nDPI might analyse more packets to look for a sub-classification or for metadata. This parameter set the upper limit on the number of these packets | +| "rtp" | "search_for_stun" | disable | NULL | NULL | After a flow has been classified as RTP or RTCP, nDPI might analyse more packets to look for STUN/DTLS packets, i.e. to try to tell if this flow is a "pure" RTP/RTCP flow or if the RTP/RTCP packets are multiplexed with STUN/DTLS. Useful for proper (sub)classification when the beginning of the flows are not captured or if there are lost packets in the the captured traffic. If enabled, nDPI requires more packets to process for each RTP/RTCP flow. | | $PROTO_NAME | "log" | disable | NULL | NULL | Enable/disable logging/debug for specific protocol. Use "any" as protocol name if you want to easily enable/disable logging/debug for all protocols | | $PROTO_NAME | "ip_list.load" | 1 | NULL | NULL | Enable/disable loading of internal list of IP addresses (used for (sub)classification) specific to that protocol. Use "any" as protocol name if you want to easily enable/disable all lists. This knob is valid only for the following protocols: Alibaba, Amazon AWS, Apple, Avast, Bloomberg, Cachefly, Cloudflare, Discord, Disney+, Dropbox, Edgecast, EpicGames, Ethereum, Facebook, Github, Google, Google Cloud, GoTo, Hotspot Shield, Hulu, Line, Microsoft 365, Microsoft Azure, Microsoft One Drive, Microsoft Outlook, Mullvad, Netflix, Nvidia, OpenDNS, ProtonVPN, RiotGames, Roblox, Skype/Teams, Starcraft, Steam, Teamviewer, Telegram, Tencent, Threema, TOR, Twitch, Twitter, UbuntuONE, VK, Yandex, Yandex Cloud, Webex, Whatsapp, Zoom | diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 8ce14bfdd82..94b250e6476 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -218,6 +218,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, "zoom", "max_packets_extra_dissection", cfg_value); } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 0x01 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "rtp", "search_for_stun", cfg_value); + } if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 5bd0662f158..9d061e5ca5d 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -72,6 +72,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_set_config(workflow->ndpi_struct, NULL, "tcp_ack_payload_heuristic", "1"); ndpi_set_config(workflow->ndpi_struct, "tls", "application_blocks_tracking", "1"); ndpi_set_config(workflow->ndpi_struct, "stun", "max_packets_extra_dissection", "255"); + ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1"); ndpi_finalize_initialization(workflow->ndpi_struct); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 36af7b277c6..a236c59cad2 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -259,6 +259,8 @@ struct ndpi_detection_module_config_struct { int zoom_max_packets_extra_dissection; + int rtp_search_for_stun; + NDPI_PROTOCOL_BITMASK debug_bitmask; NDPI_PROTOCOL_BITMASK ip_list_bitmask; @@ -666,6 +668,7 @@ int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct int is_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t *app_proto); +void switch_extra_dissection_to_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* TPKT */ int tpkt_verify_hdr(const struct ndpi_packet_struct * const packet); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 8f70c898500..b97385999d2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -11174,6 +11174,8 @@ static const struct cfg_param { { "zoom", "max_packets_extra_dissection", "4", "0", "255", CFG_PARAM_INT, __OFF(zoom_max_packets_extra_dissection), NULL }, + { "rtp", "search_for_stun", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(rtp_search_for_stun), NULL }, + { "$PROTO_NAME_OR_ID", "log", "disable", NULL, NULL, CFG_PARAM_PROTOCOL_ENABLE_DISABLE, __OFF(debug_bitmask), NULL }, { "$PROTO_NAME_OR_ID", "ip_list.load", "1", NULL, NULL, CFG_PARAM_PROTOCOL_ENABLE_DISABLE, __OFF(ip_list_bitmask), NULL }, diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index d8c09be3aaa..e05d0ee893f 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -135,6 +135,24 @@ int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, return NO_RTP_RTCP; } + +static void ndpi_int_rtp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t proto) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_UNKNOWN, proto, + NDPI_CONFIDENCE_DPI); + if(ndpi_struct->cfg.rtp_search_for_stun) { + /* It makes sense to look for STUN only if we didn't capture the entire flow, + from the beginning */ + if(!(flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow))) { + NDPI_LOG_DBG(ndpi_struct, "Enabling (STUN) extra dissection\n"); + switch_extra_dissection_to_stun(ndpi_struct, flow); + } + } +} + /* *************************************************************** */ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, @@ -186,9 +204,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, rtp_get_stream_type(payload[1] & 0x7F, &flow->flow_multimedia_type); NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, - NDPI_CONFIDENCE_DPI); + ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTP); } return; } @@ -202,16 +218,14 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, } else if(is_rtp == IS_RTCP && flow->rtp_stage == 0) { if(flow->rtcp_stage == 3) { NDPI_LOG_INFO(ndpi_struct, "Found RTCP\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTCP, - NDPI_CONFIDENCE_DPI); + ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); return; } flow->rtcp_stage += 1; } else { if(flow->rtp_stage || flow->rtcp_stage) { - u_int16_t app_proto; /* unused */ u_int32_t unused; + u_int16_t app_proto = NDPI_PROTOCOL_UNKNOWN; /* TODO: we should switch to the demultiplexing-code in stun dissector */ if(is_stun(ndpi_struct, flow, &app_proto) != 0 && diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 3756887664d..78d0a11d9f9 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -62,7 +62,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, /* Valid classifications: - * STUN, DTLS, STUN/RTP, DTLS/SRTP + * STUN, DTLS, STUN/RTP, DTLS/SRTP, RTP or RTCP (the last two, only from RTP dissector) * STUN/APP, DTLS/APP, SRTP/APP ["real" sub-classification] The idea is: * the specific "real" application (WA/FB/Signal/...), if present, should @@ -807,6 +807,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_type); if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP && + flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTCP && flow->detected_protocol_stack[1] != NDPI_PROTOCOL_SRTP) { if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) { @@ -824,6 +825,11 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, __get_master(flow) == NDPI_PROTOCOL_STUN ? NDPI_PROTOCOL_RTP: NDPI_PROTOCOL_SRTP, __get_master(flow)); } + } else if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RTCP && + flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { + /* From RTP dissector; if we have RTP and RTCP multiplexed together (but not STUN, yet) we always + use RTP, as we do in RTP dissector */ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, NDPI_CONFIDENCE_DPI); } } else if(rtp_rtcp == IS_RTCP) { NDPI_LOG_DBG(ndpi_struct, "RTCP\n"); @@ -971,9 +977,22 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd confidence = NDPI_CONFIDENCE_DPI_CACHE; if(app_proto == NDPI_PROTOCOL_RTP) master_proto = NDPI_PROTOCOL_SRTP; /* STUN/RTP --> SRTP/APP */ + if(master_proto == NDPI_PROTOCOL_RTP || master_proto == NDPI_PROTOCOL_RTCP) + master_proto = NDPI_PROTOCOL_SRTP; /* RTP|RTCP --> SRTP/APP */ app_proto = new_app_proto; } } + + /* From RTP dissector */ + if(master_proto == NDPI_PROTOCOL_RTP || master_proto == NDPI_PROTOCOL_RTCP) { + if(app_proto == NDPI_PROTOCOL_UNKNOWN) { + app_proto = NDPI_PROTOCOL_RTP; + master_proto = NDPI_PROTOCOL_STUN; /* RTP|RTCP ->STUN/RTP */ + } else { + master_proto = NDPI_PROTOCOL_SRTP; + } + } + /* Adding only real subclassifications */ if(is_subclassification_real_by_proto(app_proto)) add_to_caches(ndpi_struct, flow, app_proto); @@ -991,10 +1010,20 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd } } - if(!flow->extra_packets_func && keep_extra_dissection(ndpi_struct, flow)) { - NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); - flow->max_extra_packets_to_check = ndpi_struct->cfg.stun_max_packets_extra_dissection; - flow->extra_packets_func = stun_search_again; + switch_extra_dissection_to_stun(ndpi_struct, flow); +} + +/* ************************************************************ */ + +void switch_extra_dissection_to_stun(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + if(!flow->extra_packets_func) { + if(keep_extra_dissection(ndpi_struct, flow)) { + NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); + flow->max_extra_packets_to_check = ndpi_struct->cfg.stun_max_packets_extra_dissection; + flow->extra_packets_func = stun_search_again; + } } } diff --git a/tests/cfgs/stun_extra_dissection/config.txt b/tests/cfgs/stun_extra_dissection/config.txt index 87f4665436d..be72880b215 100644 --- a/tests/cfgs/stun_extra_dissection/config.txt +++ b/tests/cfgs/stun_extra_dissection/config.txt @@ -1 +1 @@ ---cfg=stun,max_packets_extra_dissection,255 -U 0 -T 0 --cfg=packets_limit_per_flow,255 +--cfg=stun,max_packets_extra_dissection,255 -U 0 -T 0 --cfg=packets_limit_per_flow,255 --cfg=rtp,search_for_stun,1 diff --git a/tests/cfgs/stun_extra_dissection/pcap/lru_ipv6_caches.pcapng b/tests/cfgs/stun_extra_dissection/pcap/lru_ipv6_caches.pcapng new file mode 120000 index 00000000000..56b131a341f --- /dev/null +++ b/tests/cfgs/stun_extra_dissection/pcap/lru_ipv6_caches.pcapng @@ -0,0 +1 @@ +../../default/pcap/lru_ipv6_caches.pcapng \ No newline at end of file diff --git a/tests/cfgs/stun_extra_dissection/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/stun_extra_dissection/result/lru_ipv6_caches.pcapng.out new file mode 100644 index 00000000000..6c0f024446b --- /dev/null +++ b/tests/cfgs/stun_extra_dissection/result/lru_ipv6_caches.pcapng.out @@ -0,0 +1,47 @@ +DPI Packets (TCP): 9 (3.00 pkts/flow) +DPI Packets (UDP): 69 (7.67 pkts/flow) +Confidence DPI (cache) : 5 (flows) +Confidence DPI : 7 (flows) +Num dissector calls: 591 (49.25 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 30/5/3 (insert/search/found) +LRU cache stun: 6/18/0 (insert/search/found) +LRU cache tls_cert: 1/3/2 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 9/0 (search/found) +Automa domain: 9/0 (search/found) +Automa tls cert: 1/1 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 3/3 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 24/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 12/0 (search/found) +Patricia protocols: 0/0 (search/found) +Patricia protocols IPv6: 24/0 (search/found) + +BitTorrent 25 4546 5 +WhatsAppCall 24 3996 3 +RTP 30 3450 1 +Cloudflare 9 8862 3 + +Acceptable 88 20854 12 + +JA3 Host Stats: + IP Address # JA3C + + + 1 UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78.87/STUN.RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 30][cat: Media/1][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No client to server traffic / TCP connection with unidirectional traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 3 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 4 TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0] + 5 UDP [2a2f:8509:1cb2:466d:ecbf:69d6:109c:608]:62229 -> [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 6][cat: Download/7][9 pkts/2397 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][9.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1249/0 8358/0 2694/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 266/0 610/0 243/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 44,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP [3069:c624:1d42:9469:98b1:67ff:fe43:325]:56131 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][11 pkts/1958 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][2.35 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/0 236/0 1183/0 350/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 178/0 214/0 41/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BHBeRjaHJ)][Plen Bins: 9,0,18,0,72,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP [2118:ec33:112b:7908:2c80:27ff:fef7:d71f]:48415 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][11 pkts/1742 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][2.97 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 279/0 1388/0 400/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 158/0 214/0 51/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (NGuJOnsW)][Plen Bins: 18,0,36,0,45,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27]:60506 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Download/7][11 pkts/1319 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][6.03 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 670/0 2769/0 758/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 120/0 431/0 99/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (added.f)][Plen Bins: 72,18,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2fda:1f8a:c107:88a4:e509:d2e1:445f:f34c]:6881 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][8.49 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [38b2:46b7:27a4:94c3:c134:948:e069:d71f]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 2][cat: Download/7][2 pkts/332 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][20.08 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP [3297:a1af:5121:cfc:360b:2e07:872f:1ea0]:43865 -> [32fb:f967:681e:e96b:face:b00c::74fd]:3478 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][0.26 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (BZ9/sp6)][Plen Bins: 50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP [3991:72d:336e:65ec:c5bf:a5fa:83ad:23de]:6881 -> [2c7f:d7a0:44a9:49e9:e586:fb7f:5b85:9c83]:1 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI (cache)][DPI packets: 1][cat: Download/7][1 pkts/166 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (hash20)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]