scottk/nDPId
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/nDPId.git synced 2025-10-30 17:57:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use c-captured within test/run_tests.sh.

Browse Source 
* Some logging related modifications were required to achieve this.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
This commit is contained in:
Toni Uhlig
2023-11-11 19:06:48 +01:00
parent 8ebaccc27d
commit 4920b2a4be
459 changed files with 1800 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
examples/c-captured/c-captured.c
View File

@@ -11,7 +11,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -141,7 +140,7 @@ static int pcap_open_or_append(int packet_datalink,
if (*pd == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "pcap error %s", pcap_geterr(*p));
logger(1, "pcap error %s", pcap_geterr(*p));
pcap_close(*p);
return 1;
}
@@ -175,13 +174,13 @@ static void decode_base64(pcap_dumper_t * const pd,
}
else
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "BUG: Can not decode base64 packet.");
logger(1, "%s", "BUG: Can not decode base64 packet.");
return;
}
if (nDPIsrvd_base64decode(base64_packet, base64_packet_size, pkt_buf, &pkt_buf_len) != 0 || pkt_buf_len == 0)
{
syslog(LOG_DAEMON | LOG_ERR, "packet base64 decode failed (%zu bytes): %s", base64_packet_size, base64_packet);
logger(1, "packet base64 decode failed (%zu bytes): %s", base64_packet_size, base64_packet);
}
else
{
@@ -485,7 +484,7 @@ static int packet_write_pcap_file(struct global_user_data const * const global_u
if (utarray_len(pd_array) == 0)
{
syslog(LOG_DAEMON, "Can not dump packets to pcap; packet array empty");
logger(0, "Can not dump packets to pcap; packet array empty");
return 1;
}
@@ -501,7 +500,7 @@ static int packet_write_pcap_file(struct global_user_data const * const global_u
char filename[PATH_MAX];
if (packet_generate_pcap_filename(filename, sizeof(filename), packet_datalink) == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "Internal error. Could not generate PCAP filename, exit ..");
logger(1, "%s", "Internal error. Could not generate PCAP filename, exit ..");
return 1;
}
@@ -509,7 +508,7 @@ static int packet_write_pcap_file(struct global_user_data const * const global_u
pcap_dumper_t * pd = NULL;
if (pcap_open_or_append(packet_datalink, filename, &p, &pd) != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Can not dump packets to pcap; file open/append failed");
logger(1, "Can not dump packets to pcap; file open/append failed");
return 1;
}
@@ -564,13 +563,13 @@ static int flow_write_pcap_file(struct flow_user_data const * const flow_user, c
if (utarray_len(pd_array) == 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Can not dump flow packets to pcap; flow packet array empty");
logger(1, "Can not dump flow packets to pcap; flow packet array empty");
return 0;
}
if (pcap_open_or_append(packet_datalink, filename, &p, &pd) != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Can not dump flow packets to pcap; file open/append failed");
logger(1, "Can not dump flow packets to pcap; file open/append failed");
return 0;
}
@@ -619,24 +618,24 @@ static enum nDPIsrvd_conversion_return perror_ull(enum nDPIsrvd_conversion_retur
break;
case CONVERISON_KEY_NOT_FOUND:
syslog(LOG_DAEMON | LOG_ERR, "%s: Key not found.", prefix);
logger(1, "%s: Key not found.", prefix);
break;
case CONVERSION_NOT_A_NUMBER:
syslog(LOG_DAEMON | LOG_ERR, "%s: Not a valid number.", prefix);
logger(1, "%s: Not a valid number.", prefix);
break;
case CONVERSION_RANGE_EXCEEDED:
syslog(LOG_DAEMON | LOG_ERR, "%s: Number too large.", prefix);
logger(1, "%s: Number too large.", prefix);
break;
default:
syslog(LOG_DAEMON | LOG_ERR, "Internal error, invalid conversion return value.");
logger(1, "Internal error, invalid conversion return value.");
break;
}
return retval;
}
static void syslog_event(struct nDPIsrvd_socket * const sock,
static void log_event(struct nDPIsrvd_socket * const sock,
struct nDPIsrvd_flow * const flow,
char const * const event_name)
{
@@ -653,7 +652,7 @@ static void syslog_event(struct nDPIsrvd_socket * const sock,
if (src_ip == NULL || dst_ip == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "Flow %llu: Missing essential source/destination IP address.", flow->id_as_ull);
logger(1, "Flow %llu: Missing essential source/destination IP address.", flow->id_as_ull);
}
else
{
@@ -677,7 +676,23 @@ static void syslog_event(struct nDPIsrvd_socket * const sock,
}
}
syslog(LOG_DAEMON | LOG_ERR,
if (is_console_logger_enabled() != 0)
{
printf("Flow %llu %s: %.*s %.*s%s -> %.*s%s\n",
flow->id_as_ull,
event_name,
(l4_proto_str != NULL ? (int)l4_proto_len : na_len),
(l4_proto_str != NULL ? l4_proto_str : na),
(src_ip_str != NULL ? (int)src_ip_len : na_len),
(src_ip_str != NULL ? src_ip_str : na),
src_port_str,
(dst_ip_str != NULL ? (int)dst_ip_len : na_len),
(dst_ip_str != NULL ? dst_ip_str : na),
dst_port_str);
}
else
{
logger(0,
"Flow %llu %s: %.*s %.*s%s -> %.*s%s",
flow->id_as_ull,
event_name,
@@ -690,6 +705,7 @@ static void syslog_event(struct nDPIsrvd_socket * const sock,
(dst_ip_str != NULL ? dst_ip_str : na),
dst_port_str);
}
}
static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_socket * const sock,
struct nDPIsrvd_instance * const instance,
@@ -708,17 +724,17 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
if (utarray_packets_init(global_user) == 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Memory allocation for packet data failed.");
logger(1, "Memory allocation for packet data failed.");
return CALLBACK_ERROR;
}
if (TOKEN_GET_SZ(sock, "error_event_name") != NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "Received an error event for packet id %llu.", packet_id);
logger(1, "Received an error event for packet id %llu.", packet_id);
if (TOKEN_GET_SZ(sock, "error_event_id") == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "Missing error event id.");
logger(1, "Missing error event id.");
return CALLBACK_ERROR;
}
@@ -727,28 +743,26 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
struct packet_data pd = {.error_event_id = error_event_id, .packet_id = packet_id};
if (utarray_packets_add(global_user, &pd) == 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Could not add packet to array with id %llu.", packet_id);
logger(1, "Could not add packet to array with id %llu.", packet_id);
return CALLBACK_ERROR;
}
}
else if (TOKEN_VALUE_EQUALS_SZ(sock, TOKEN_GET_SZ(sock, "packet_event_name"), "packet") != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Received an packet event for packet id %llu.", packet_id);
logger(1, "Received an packet event for packet id %llu.", packet_id);
if (capture_mode != 0)
{
struct packet_data * const pd = utarray_packets_get(global_user, packet_id);
if (pd == NULL)
{
syslog(LOG_DAEMON | LOG_ERR,
"Received an packet event w/o a previous error event for packet id %llu.",
packet_id);
logger(1, "Received an packet event w/o a previous error event for packet id %llu.", packet_id);
return CALLBACK_OK;
}
if (pd->packet_id != packet_id)
{
syslog(LOG_DAEMON | LOG_ERR,
logger(1,
"Received a packet event with a different packet id then the one seen in the error event: "
"%llu != %llu.",
packet_id,
@@ -759,8 +773,8 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
struct nDPIsrvd_json_token const * const pkt = TOKEN_GET_SZ(sock, "pkt");
if (pkt == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "No packet data available.");
syslog(LOG_DAEMON | LOG_ERR,
logger(1, "%s", "No packet data available.");
logger(1,
"JSON String: '%.*s'",
nDPIsrvd_json_buffer_length(sock),
nDPIsrvd_json_buffer_string(sock));
@@ -785,7 +799,7 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
if (packet_write_pcap_file(global_user) != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "Could not dump non-flow packet data");
logger(1, "%s", "Could not dump non-flow packet data");
return CALLBACK_OK;
}
}
@@ -813,17 +827,14 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
struct nDPIsrvd_json_token const * const pkt = TOKEN_GET_SZ(sock, "pkt");
if (pkt == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "No packet data available.");
syslog(LOG_DAEMON | LOG_ERR,
"JSON String: '%.*s'",
nDPIsrvd_json_buffer_length(sock),
nDPIsrvd_json_buffer_string(sock));
logger(1, "%s", "No packet data available.");
logger(1, "JSON String: '%.*s'", nDPIsrvd_json_buffer_length(sock), nDPIsrvd_json_buffer_string(sock));
return CALLBACK_OK;
}
if (utarray_flow_packets_init(flow_user) == 0)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "Memory allocation for captured packets failed.");
logger(1, "%s", "Memory allocation for captured packets failed.");
return CALLBACK_ERROR;
}
@@ -840,7 +851,7 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
.base64_packet_const = nDPIsrvd_get_token_value(sock, pkt)};
if (utarray_flow_packets_add(flow_user, &pd) == 0)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "Memory allocation to add a captured packet failed.");
logger(1, "%s", "Memory allocation to add a captured packet failed.");
return CALLBACK_ERROR;
}
}
@@ -930,21 +941,20 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
if (logging_mode != 0)
{
if (flow_user->guessed != 0)
syslog_event(sock, flow, "guessed");
log_event(sock, flow, "guessed");
if (flow_user->detected == 0)
syslog_event(sock, flow, "not-detected");
log_event(sock, flow, "not-detected");
if (flow_user->risky != 0)
syslog_event(sock, flow, "risky");
log_event(sock, flow, "risky");
if (flow_user->midstream != 0)
syslog_event(sock, flow, "midstream");
log_event(sock, flow, "midstream");
}
if (flow_user->packets == NULL || flow_user->flow_max_packets == 0 ||
utarray_len(flow_user->packets) == 0)
if (flow_user->packets == NULL || flow_user->flow_max_packets == 0 || utarray_len(flow_user->packets) == 0)
{
if (logging_mode != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Flow %llu: No packets captured.", flow->id_as_ull);
logger(0, "Flow %llu: No packets captured.", flow->id_as_ull);
}
}
else if (capture_mode != 0)
@@ -955,7 +965,7 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
char pcap_filename[PATH_MAX];
if (flow_generate_pcap_filename(flow_user, pcap_filename, sizeof(pcap_filename)) == NULL)
{
syslog(LOG_DAEMON | LOG_ERR, "%s", "Internal error. Could not generate PCAP filename, exit ..");
logger(1, "%s", "Internal error. Could not generate PCAP filename, exit ..");
return CALLBACK_ERROR;
}
#ifdef VERBOSE
@@ -963,7 +973,7 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock
#endif
if (flow_write_pcap_file(flow_user, pcap_filename) != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Could not dump packet data to pcap file %s", pcap_filename);
logger(1, "Could not dump packet data to pcap file %s", pcap_filename);
return CALLBACK_OK;
}
}
@@ -1012,7 +1022,7 @@ static void nDPIsrvd_write_flow_info_cb(struct nDPIsrvd_socket const * sock,
flow_user->flow_tot_l4_payload_len,
flow_user->packets != NULL ? utarray_len(flow_user->packets) : 0);
syslog(LOG_DAEMON,
logger(0,
"[Flow %4llu][ptr: "
#ifdef __LP64__
"0x%016llx"
@@ -1071,8 +1081,9 @@ static void print_usage(char const * const arg0)
{
static char const usage[] =
"Usage: %s "
"[-d] [-p pidfile] [-s host] [-r rotate-every-n-seconds]\n"
"[-c] [-d] [-p pidfile] [-s host] [-r rotate-every-n-seconds]\n"
"\t \t[-u user] [-g group] [-D dir] [-G] [-U] [-R risk] [-M]\n\n"
"\t-c\tLog all messages to stdout/stderr instead of syslog.\n"
"\t-d\tForking into background after initialization.\n"
"\t-p\tWrite the daemon PID to the given file path.\n"
"\t-s\tDestination where nDPIsrvd is listening on.\n"
@@ -1112,10 +1123,13 @@ static int parse_options(int argc, char ** argv)
{
int opt;
while ((opt = getopt(argc, argv, "hdp:s:r:u:g:lLD:GUR:ME")) != -1)
while ((opt = getopt(argc, argv, "hcdp:s:r:u:g:lLD:GUR:ME")) != -1)
{
switch (opt)
{
case 'c':
enable_console_logger();
break;
case 'd':
daemonize_enable();
break;
@@ -1272,21 +1286,21 @@ static int mainloop(void)
}
if (read_ret == READ_TIMEOUT)
{
syslog(LOG_DAEMON,
logger(0,
"No data received during the last %llu second(s).\n",
(long long unsigned int)sock->read_timeout.tv_sec);
continue;
}
if (read_ret != READ_OK)
{
syslog(LOG_DAEMON | LOG_ERR, "Could not read from socket: %s", nDPIsrvd_enum_to_string(read_ret));
logger(1, "Could not read from socket: %s", nDPIsrvd_enum_to_string(read_ret));
break;
}
enum nDPIsrvd_parse_return parse_ret = nDPIsrvd_parse_all(sock);
if (parse_ret != PARSE_NEED_MORE_DATA)
{
syslog(LOG_DAEMON | LOG_ERR, "Could not parse json string: %s", nDPIsrvd_enum_to_string(parse_ret));
logger(1, "Could not parse json string: %s", nDPIsrvd_enum_to_string(parse_ret));
break;
}
}
@@ -1321,8 +1335,8 @@ int main(int argc, char ** argv)
return 1;
}
printf("Recv buffer size: %u\n", NETWORK_BUFFER_MAX_SIZE);
printf("Connecting to `%s'..\n", serv_optarg);
logger(0, "Recv buffer size: %u\n", NETWORK_BUFFER_MAX_SIZE);
logger(0, "Connecting to `%s'..\n", serv_optarg);
if (nDPIsrvd_connect(sock) != CONNECT_OK)
{
@@ -1340,18 +1354,17 @@ int main(int argc, char ** argv)
{
return 1;
}
openlog("nDPIsrvd-captured", LOG_CONS, LOG_DAEMON);
errno = 0;
if (user != NULL && change_user_group(user, group, pidfile, datadir /* :D */, NULL) != 0)
{
if (errno != 0)
{
syslog(LOG_DAEMON | LOG_ERR, "Change user/group failed: %s", strerror(errno));
logger(1, "Change user/group failed: %s", strerror(errno));
}
else
{
syslog(LOG_DAEMON | LOG_ERR, "Change user/group failed.");
logger(1, "Change user/group failed.");
}
return 1;
}
@@ -1370,7 +1383,7 @@ int main(int argc, char ** argv)
utarray_packets_free((struct global_user_data *)sock->global_user_data);
nDPIsrvd_socket_free(&sock);
daemonize_shutdown(pidfile);
closelog();
shutdown_logging();
return retval;
}

2
test/results/flow-captured/caches_cfg/ookla.pcap.out Normal file
View File

@@ -0,0 +1,2 @@
Flow 3 risky: tcp 192.168.1.7:51207 -> 46.44.253.187:80
Flow 6 risky: tcp 192.168.1.128:35830 -> 89.96.108.170:8080

19
test/results/flow-captured/caches_cfg/teams.pcap.out Normal file
View File

@@ -0,0 +1,19 @@
Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
Flow 76 risky: udp 192.168.1.6:50016 -> 192.168.0.4:50005
Flow 77 risky: udp 192.168.1.6:50036 -> 192.168.0.4:50020
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
Flow 10 risky: udp 192.168.1.6:64046 -> 192.168.1.1:53
Flow 81 risky: udp 52.114.252.8:3479 -> 192.168.1.6:50016
Flow 80 risky: udp 52.114.252.21:3480 -> 192.168.1.6:50036

98
test/results/flow-captured/default/1kxun.pcap.out Normal file
View File

@@ -0,0 +1,98 @@
Flow 37 risky: tcp 192.168.115.8:49606 -> 106.185.35.110:80
Flow 41 risky: tcp 192.168.115.8:49609 -> 42.120.51.152:8080
Flow 14 risky: udp 192.168.115.8:51024 -> 8.8.8.8:53
Flow 20 risky: udp 192.168.3.95:58779 -> 224.0.0.252:5355
Flow 19 risky: udp fe80::e98f:bae2:19f7:6b0f:58779 -> ff02::1:3:5355
Flow 24 risky: udp 192.168.115.8:52723 -> 168.95.1.1:53
Flow 16 risky: udp 192.168.115.8:52723 -> 8.8.8.8:53
Flow 35 risky: udp 192.168.5.67:138 -> 192.168.255.255:138
Flow 34 risky: udp 192.168.3.95:54888 -> 224.0.0.252:5355
Flow 39 risky: udp 192.168.115.8:54420 -> 8.8.8.8:53
Flow 26 risky: udp 192.168.115.8:60724 -> 8.8.8.8:53
Flow 33 risky: udp fe80::e98f:bae2:19f7:6b0f:54888 -> ff02::1:3:5355
Flow 97 risky: udp fe80::e98f:bae2:19f7:6b0f:51451 -> ff02::1:3:5355
Flow 70 risky: udp 192.168.5.45:138 -> 192.168.255.255:138
Flow 38 risky: tcp 192.168.115.8:49607 -> 218.244.135.170:9099
Flow 59 risky: tcp 192.168.5.16:53624 -> 68.233.253.133:80
Flow 36 risky: tcp 192.168.115.8:49605 -> 106.185.35.110:80
Flow 45 risky: tcp 192.168.5.16:53623 -> 192.168.115.75:443
Flow 87 risky: tcp 192.168.5.16:53625 -> 192.168.115.75:443
Flow 107 risky: tcp 192.168.5.16:53626 -> 192.168.115.75:443
Flow 117 risky: tcp 192.168.5.16:53629 -> 192.168.115.75:443
Flow 46 risky: tcp 192.168.115.8:49612 -> 183.131.48.145:80
Flow 49 risky: tcp 192.168.115.8:49613 -> 183.131.48.144:80
Flow 98 risky: udp 192.168.3.95:51451 -> 224.0.0.252:5355
Flow 142 midstream: tcp 192.168.2.126:46170 -> 172.105.121.82:80
Flow 146 midstream: tcp 192.168.2.126:45380 -> 161.117.13.29:80
Flow 160 midstream: tcp 192.168.2.126:49380 -> 14.136.136.108:80
Flow 158 midstream: tcp 192.168.2.126:49372 -> 14.136.136.108:80
Flow 150 midstream: tcp 192.168.2.126:45416 -> 161.117.13.29:80
Flow 147 midstream: tcp 192.168.2.126:45388 -> 161.117.13.29:80
Flow 148 midstream: tcp 192.168.2.126:45398 -> 161.117.13.29:80
Flow 163 midstream: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 178 risky: tcp 192.168.2.126:56826 -> 8.209.97.107:80
Flow 178 midstream: tcp 192.168.2.126:56826 -> 8.209.97.107:80
Flow 149 midstream: tcp 192.168.2.126:45414 -> 161.117.13.29:80
Flow 151 midstream: tcp 192.168.2.126:45422 -> 161.117.13.29:80
Flow 152 midstream: tcp 192.168.2.126:45424 -> 161.117.13.29:80
Flow 192 midstream: tcp 192.168.2.126:54810 -> 18.233.123.55:80
Flow 184 midstream: tcp 192.168.2.126:36636 -> 18.64.103.30:80
Flow 185 midstream: tcp 192.168.2.126:36640 -> 18.64.103.30:80
Flow 186 midstream: tcp 192.168.2.126:36654 -> 18.64.103.30:80
Flow 180 midstream: tcp 192.168.2.126:58758 -> 202.153.196.53:80
Flow 181 midstream: tcp 192.168.2.126:58760 -> 202.153.196.53:80
Flow 170 midstream: tcp 192.168.2.126:38314 -> 172.105.121.82:80
Flow 171 midstream: tcp 192.168.2.126:38316 -> 172.105.121.82:80
Flow 169 midstream: tcp 192.168.2.126:38326 -> 172.105.121.82:80
Flow 193 midstream: tcp 192.168.2.126:40204 -> 18.235.204.9:80
Flow 155 midstream: tcp 192.168.2.126:38354 -> 142.250.186.34:80
Flow 157 midstream: tcp 192.168.2.126:49354 -> 14.136.136.108:80
Flow 159 midstream: tcp 192.168.2.126:49370 -> 14.136.136.108:80
Flow 162 midstream: tcp 192.168.2.126:49396 -> 14.136.136.108:80
Flow 140 risky: tcp 192.168.2.126:49242 -> 172.104.119.80:80
Flow 140 midstream: tcp 192.168.2.126:49242 -> 172.104.119.80:80
Flow 161 midstream: tcp 192.168.2.126:49412 -> 14.136.136.108:80
Flow 179 midstream: tcp 192.168.2.126:43272 -> 18.64.79.58:80
Flow 164 midstream: tcp 192.168.2.126:50140 -> 161.117.13.29:80
Flow 165 midstream: tcp 192.168.2.126:50148 -> 161.117.13.29:80
Flow 166 midstream: tcp 192.168.2.126:50164 -> 161.117.13.29:80
Flow 167 midstream: tcp 192.168.2.126:50166 -> 161.117.13.29:80
Flow 168 midstream: tcp 192.168.2.126:50176 -> 161.117.13.29:80
Flow 153 midstream: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 197 midstream: tcp 192.168.2.126:51686 -> 18.64.79.64:80
Flow 156 midstream: tcp 192.168.2.126:36732 -> 142.250.186.174:80
Flow 194 midstream: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 189 midstream: tcp 192.168.2.126:42554 -> 35.156.44.13:80
Flow 190 risky: tcp 192.168.2.126:42566 -> 35.156.44.13:80
Flow 190 midstream: tcp 192.168.2.126:42566 -> 35.156.44.13:80
Flow 195 midstream: tcp 192.168.2.126:33042 -> 3.122.190.70:80
Flow 173 midstream: tcp 192.168.2.126:56094 -> 3.72.69.158:80
Flow 175 midstream: tcp 192.168.2.126:56096 -> 3.72.69.158:80
Flow 174 midstream: tcp 192.168.2.126:56098 -> 3.72.69.158:80
Flow 176 midstream: tcp 192.168.2.126:56104 -> 3.72.69.158:80
Flow 134 midstream: tcp 192.168.2.126:41134 -> 129.226.107.77:80
Flow 130 risky: tcp 192.168.2.126:60962 -> 172.104.93.92:1234
Flow 130 midstream: tcp 192.168.2.126:60962 -> 172.104.93.92:1234
Flow 131 risky: tcp 192.168.2.126:60972 -> 172.104.93.92:1234
Flow 131 midstream: tcp 192.168.2.126:60972 -> 172.104.93.92:1234
Flow 132 risky: tcp 192.168.2.126:60984 -> 172.104.93.92:1234
Flow 132 midstream: tcp 192.168.2.126:60984 -> 172.104.93.92:1234
Flow 196 risky: tcp 192.168.2.126:35426 -> 8.209.112.118:80
Flow 196 midstream: tcp 192.168.2.126:35426 -> 8.209.112.118:80
Flow 191 midstream: tcp 192.168.2.126:41940 -> 18.64.79.50:80
Flow 139 midstream: tcp 192.168.2.126:60148 -> 172.105.121.82:80
Flow 172 midstream: tcp 192.168.2.126:59324 -> 104.117.221.10:80
Flow 138 risky: tcp 192.168.2.126:38834 -> 119.45.78.184:80
Flow 138 midstream: tcp 192.168.2.126:38834 -> 119.45.78.184:80
Flow 182 midstream: tcp 192.168.2.126:35664 -> 18.66.2.90:80
Flow 141 midstream: tcp 192.168.2.126:46184 -> 172.105.121.82:80
Flow 133 risky: tcp 192.168.2.126:47230 -> 161.117.13.29:80
Flow 133 midstream: tcp 192.168.2.126:47230 -> 161.117.13.29:80
Flow 188 risky: tcp 192.168.2.126:37100 -> 52.29.177.177:80
Flow 188 midstream: tcp 192.168.2.126:37100 -> 52.29.177.177:80
Flow 143 midstream: tcp 192.168.2.126:46200 -> 172.105.121.82:80
Flow 135 midstream: tcp 192.168.2.126:47246 -> 161.117.13.29:80
Flow 144 midstream: tcp 192.168.2.126:46212 -> 172.105.121.82:80
Flow 136 midstream: tcp 192.168.2.126:47262 -> 161.117.13.29:80
Flow 137 midstream: tcp 192.168.2.126:47272 -> 161.117.13.29:80
Flow 145 midstream: tcp 192.168.2.126:35200 -> 103.29.71.30:80

0
test/results/flow-captured/default/443-chrome.pcap.out Normal file
View File

0
test/results/flow-captured/default/443-curl.pcap.out Normal file
View File

0
test/results/flow-captured/default/443-firefox.pcap.out Normal file
View File

0
test/results/flow-captured/default/443-git.pcap.out Normal file
View File

0
test/results/flow-captured/default/443-opvn.pcap.out Normal file
View File

0
test/results/flow-captured/default/443-safari.pcap.out Normal file
View File

0
test/results/flow-captured/default/4in4tunnel.pcap.out Normal file
View File

0
test/results/flow-captured/default/4in6tunnel.pcap.out Normal file
View File

1
test/results/flow-captured/default/6in4tunnel.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 not-detected: 41 174.3.73.24 -> 184.105.255.26

0
test/results/flow-captured/default/6in6tunnel.pcap.out Normal file
View File

0
test/results/flow-captured/default/BGP_Cisco_hdlc_slarp.pcap.out Normal file
View File

1
test/results/flow-captured/default/BGP_redist.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 midstream: tcp 2.2.2.2:179 -> 5.5.5.5:49433

23
test/results/flow-captured/default/EAQ.pcap.out Normal file
View File

@@ -0,0 +1,23 @@
Flow 17 risky: udp 10.8.0.1:48563 -> 200.194.141.67:6000
Flow 14 risky: udp 10.8.0.1:48666 -> 200.194.129.66:6000
Flow 21 risky: udp 10.8.0.1:57004 -> 200.194.133.67:6000
Flow 23 risky: udp 10.8.0.1:36552 -> 200.194.136.66:6000
Flow 2 risky: tcp 10.8.0.1:40467 -> 173.194.119.24:80
Flow 26 risky: udp 10.8.0.1:59098 -> 200.194.134.68:6000
Flow 28 risky: udp 10.8.0.1:36577 -> 200.194.149.68:6000
Flow 22 risky: udp 10.8.0.1:53059 -> 200.194.133.68:6000
Flow 9 risky: udp 10.8.0.1:34687 -> 200.194.141.68:6000
Flow 11 risky: udp 10.8.0.1:53354 -> 200.194.137.66:6000
Flow 25 risky: udp 10.8.0.1:47346 -> 200.194.134.66:6000
Flow 10 risky: udp 10.8.0.1:39221 -> 200.194.137.67:6000
Flow 1 risky: tcp 10.8.0.1:53497 -> 173.194.119.48:80
Flow 6 risky: udp 10.8.0.1:41438 -> 200.194.141.66:6000
Flow 12 risky: udp 10.8.0.1:59959 -> 200.194.137.68:6000
Flow 30 risky: udp 10.8.0.1:33356 -> 200.194.149.66:6000
Flow 15 risky: udp 10.8.0.1:47714 -> 200.194.129.68:6000
Flow 29 risky: udp 10.8.0.1:60013 -> 200.194.136.67:6000
Flow 20 risky: udp 10.8.0.1:56128 -> 200.194.133.66:6000
Flow 24 risky: udp 10.8.0.1:43934 -> 200.194.136.68:6000
Flow 27 risky: udp 10.8.0.1:50175 -> 200.194.149.67:6000
Flow 13 risky: udp 10.8.0.1:37985 -> 200.194.129.67:6000
Flow 31 risky: udp 10.8.0.1:40058 -> 200.194.134.67:6000

0
test/results/flow-captured/default/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out Normal file
View File

4
test/results/flow-captured/default/IEC104.pcap.out Normal file
View File

@@ -0,0 +1,4 @@
Flow 1 risky: tcp 10.175.211.1:2404 -> 10.119.105.26:54768
Flow 1 midstream: tcp 10.175.211.1:2404 -> 10.119.105.26:54768
Flow 2 risky: tcp 10.175.211.3:2404 -> 10.119.105.26:54769
Flow 2 midstream: tcp 10.175.211.3:2404 -> 10.119.105.26:54769

5
test/results/flow-captured/default/KakaoTalk_chat.pcap.out Normal file
View File

@@ -0,0 +1,5 @@
Flow 26 risky: tcp 10.24.82.188:43581 -> 31.13.68.70:443
Flow 34 risky: tcp 10.24.82.188:35511 -> 173.252.97.2:443
Flow 15 risky: tcp 10.24.82.188:35503 -> 173.252.97.2:443
Flow 37 midstream: tcp 10.24.82.188:49217 -> 216.58.220.174:443
Flow 22 midstream: tcp 31.13.68.73:443 -> 10.24.82.188:47007

4
test/results/flow-captured/default/KakaoTalk_talk.pcap.out Normal file
View File

@@ -0,0 +1,4 @@
Flow 6 risky: tcp 10.24.82.188:32968 -> 110.76.143.50:8080
Flow 8 risky: tcp 10.24.82.188:58857 -> 110.76.143.50:9001
Flow 19 risky: tcp 10.24.82.188:59954 -> 173.252.88.128:443
Flow 14 midstream: tcp 10.24.82.188:49217 -> 216.58.220.174:443

0
test/results/flow-captured/default/NTPv2.pcap.out Normal file
View File

0
test/results/flow-captured/default/NTPv3.pcap.out Normal file
View File

0
test/results/flow-captured/default/NTPv4.pcap.out Normal file
View File

0
test/results/flow-captured/default/Oscar.pcap.out Normal file
View File

0
test/results/flow-captured/default/TivoDVR.pcap.out Normal file
View File

0
test/results/flow-captured/default/WebattackRCE.pcap.out Normal file
View File

9
test/results/flow-captured/default/WebattackSQLinj.pcap.out Normal file
View File

@@ -0,0 +1,9 @@
Flow 1 risky: tcp 172.16.0.1:36196 -> 192.168.10.50:80
Flow 2 risky: tcp 172.16.0.1:36198 -> 192.168.10.50:80
Flow 3 risky: tcp 172.16.0.1:36200 -> 192.168.10.50:80
Flow 4 risky: tcp 172.16.0.1:36202 -> 192.168.10.50:80
Flow 5 risky: tcp 172.16.0.1:36204 -> 192.168.10.50:80
Flow 6 risky: tcp 172.16.0.1:36206 -> 192.168.10.50:80
Flow 7 risky: tcp 172.16.0.1:36208 -> 192.168.10.50:80
Flow 8 risky: tcp 172.16.0.1:36210 -> 192.168.10.50:80
Flow 9 risky: tcp 172.16.0.1:36212 -> 192.168.10.50:80

22
test/results/flow-captured/default/WebattackXSS.pcap.out Normal file
View File

@@ -0,0 +1,22 @@
Flow 5 risky: tcp 172.16.0.1:52200 -> 192.168.10.50:80
Flow 9 risky: tcp 172.16.0.1:52298 -> 192.168.10.50:80
Flow 41 risky: tcp 172.16.0.1:52910 -> 192.168.10.50:80
Flow 1 risky: tcp 172.16.0.1:52098 -> 192.168.10.50:80
Flow 78 risky: tcp 172.16.0.1:53584 -> 192.168.10.50:80
Flow 10 risky: tcp 172.16.0.1:52300 -> 192.168.10.50:80
Flow 11 risky: tcp 172.16.0.1:52318 -> 192.168.10.50:80
Flow 114 risky: tcp 172.16.0.1:54268 -> 192.168.10.50:80
Flow 152 risky: tcp 172.16.0.1:54956 -> 192.168.10.50:80
Flow 190 risky: tcp 172.16.0.1:55632 -> 192.168.10.50:80
Flow 227 risky: tcp 172.16.0.1:56306 -> 192.168.10.50:80
Flow 265 risky: tcp 172.16.0.1:56994 -> 192.168.10.50:80
Flow 304 risky: tcp 172.16.0.1:57684 -> 192.168.10.50:80
Flow 342 risky: tcp 172.16.0.1:58360 -> 192.168.10.50:80
Flow 380 risky: tcp 172.16.0.1:59042 -> 192.168.10.50:80
Flow 419 risky: tcp 172.16.0.1:59732 -> 192.168.10.50:80
Flow 458 risky: tcp 172.16.0.1:60464 -> 192.168.10.50:80
Flow 495 risky: tcp 172.16.0.1:32906 -> 192.168.10.50:80
Flow 532 risky: tcp 172.16.0.1:33580 -> 192.168.10.50:80
Flow 569 risky: tcp 172.16.0.1:34278 -> 192.168.10.50:80
Flow 606 risky: tcp 172.16.0.1:34940 -> 192.168.10.50:80
Flow 643 risky: tcp 172.16.0.1:35626 -> 192.168.10.50:80

0
test/results/flow-captured/default/activision.pcap.out Normal file
View File

1
test/results/flow-captured/default/adult_content.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 192.168.1.199:42759 -> 31.220.27.69:80

1
test/results/flow-captured/default/afp.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 midstream: tcp 192.168.27.57:64987 -> 192.168.27.139:548

0
test/results/flow-captured/default/agora-sd-rtn.pcap.out Normal file
View File

0
test/results/flow-captured/default/ah.pcapng.out Normal file
View File

0
test/results/flow-captured/default/ajp.pcap.out Normal file
View File

51
test/results/flow-captured/default/alexa-app.pcapng.out Normal file
View File

@@ -0,0 +1,51 @@
Flow 28 risky: tcp 172.16.42.216:45661 -> 52.94.232.134:443
Flow 80 risky: tcp 172.16.42.216:45703 -> 52.94.232.134:443
Flow 87 risky: tcp 172.16.42.216:45710 -> 52.94.232.134:443
Flow 89 risky: tcp 172.16.42.216:45712 -> 52.94.232.134:443
Flow 107 risky: tcp 172.16.42.216:40856 -> 54.239.29.253:443
Flow 105 risky: tcp 172.16.42.216:40854 -> 54.239.29.253:443
Flow 88 risky: tcp 172.16.42.216:45711 -> 52.94.232.134:443
Flow 125 risky: tcp 172.16.42.216:40871 -> 54.239.29.253:443
Flow 45 risky: tcp 172.16.42.216:49589 -> 52.94.232.134:80
Flow 29 risky: tcp 172.16.42.216:45662 -> 52.94.232.134:443
Flow 30 risky: tcp 172.16.42.216:45663 -> 52.94.232.134:443
Flow 43 risky: tcp 172.16.42.216:45673 -> 52.94.232.134:443
Flow 44 risky: tcp 172.16.42.216:45674 -> 52.94.232.134:443
Flow 46 risky: tcp 172.16.42.216:45676 -> 52.94.232.134:443
Flow 47 risky: tcp 172.16.42.216:45677 -> 52.94.232.134:443
Flow 48 risky: tcp 172.16.42.216:45678 -> 52.94.232.134:443
Flow 49 risky: tcp 172.16.42.216:45679 -> 52.94.232.134:443
Flow 50 risky: tcp 172.16.42.216:45680 -> 52.94.232.134:443
Flow 53 risky: tcp 172.16.42.216:45683 -> 52.94.232.134:443
Flow 57 risky: tcp 172.16.42.216:45687 -> 52.94.232.134:443
Flow 59 risky: tcp 172.16.42.216:45688 -> 52.94.232.134:443
Flow 67 risky: tcp 172.16.42.216:45693 -> 52.94.232.134:443
Flow 70 risky: tcp 172.16.42.216:45695 -> 52.94.232.134:443
Flow 71 risky: tcp 172.16.42.216:45696 -> 52.94.232.134:443
Flow 72 risky: tcp 172.16.42.216:45697 -> 52.94.232.134:443
Flow 74 risky: tcp 172.16.42.216:45698 -> 52.94.232.134:443
Flow 157 risky: tcp 172.16.42.216:38483 -> 52.85.209.143:443
Flow 142 risky: tcp 172.16.42.216:50799 -> 54.239.28.178:443
Flow 93 risky: tcp 172.16.42.216:49630 -> 52.94.232.134:80
Flow 117 risky: tcp 172.16.42.216:40864 -> 54.239.29.253:443
Flow 132 risky: tcp 172.16.42.216:40878 -> 54.239.29.253:443
Flow 75 risky: tcp 172.16.42.216:37113 -> 52.94.232.134:443
Flow 81 risky: tcp 172.16.42.216:45704 -> 52.94.232.134:443
Flow 82 risky: tcp 172.16.42.216:45705 -> 52.94.232.134:443
Flow 86 risky: tcp 172.16.42.216:45709 -> 52.94.232.134:443
Flow 91 risky: tcp 172.16.42.216:45714 -> 52.94.232.134:443
Flow 92 risky: tcp 172.16.42.216:45715 -> 52.94.232.134:443
Flow 109 risky: tcp 172.16.42.216:45728 -> 52.94.232.134:443
Flow 110 risky: tcp 172.16.42.216:45729 -> 52.94.232.134:443
Flow 111 risky: tcp 172.16.42.216:45730 -> 52.94.232.134:443
Flow 112 risky: tcp 172.16.42.216:45731 -> 52.94.232.134:443
Flow 113 risky: tcp 172.16.42.216:45732 -> 52.94.232.134:443
Flow 133 risky: tcp 172.16.42.216:45750 -> 52.94.232.134:443
Flow 134 risky: tcp 172.16.42.216:45751 -> 52.94.232.134:443
Flow 137 risky: tcp 172.16.42.216:45752 -> 52.94.232.134:443
Flow 136 risky: tcp 172.16.42.216:39750 -> 52.94.232.134:443
Flow 156 risky: tcp 172.16.42.216:58048 -> 54.239.28.178:443
Flow 65 risky: tcp 172.16.42.216:41691 -> 54.239.29.146:443
Flow 99 risky: tcp 172.16.42.216:44001 -> 176.32.101.52:443
Flow 11 risky: tcp 172.16.42.216:42878 -> 173.194.223.188:5228
Flow 16 risky: tcp 172.16.42.216:55242 -> 52.85.209.197:443

0
test/results/flow-captured/default/alicloud.pcap.out Normal file
View File

0
test/results/flow-captured/default/among_us.pcap.out Normal file
View File

3
test/results/flow-captured/default/amqp.pcap.out Normal file
View File

@@ -0,0 +1,3 @@
Flow 1 midstream: tcp 127.0.0.1:44205 -> 127.0.1.1:5672
Flow 2 midstream: tcp 127.0.1.1:5672 -> 127.0.0.1:44204
Flow 3 midstream: tcp 127.0.0.1:44206 -> 127.0.1.1:5672

5
test/results/flow-captured/default/android.pcap.out Normal file
View File

@@ -0,0 +1,5 @@
Flow 3 risky: tcp 17.248.176.75:443 -> 192.168.2.17:50580
Flow 3 midstream: tcp 17.248.176.75:443 -> 192.168.2.17:50580
Flow 2 risky: tcp 17.248.176.75:443 -> 192.168.2.17:50584
Flow 2 midstream: tcp 17.248.176.75:443 -> 192.168.2.17:50584
Flow 5 midstream: tcp 17.248.185.10:443 -> 192.168.2.17:50702

19
test/results/flow-captured/default/anyconnect-vpn.pcap.out Normal file
View File

@@ -0,0 +1,19 @@
Flow 30 risky: tcp 10.0.0.227:56921 -> 8.37.96.194:4287
Flow 25 midstream: tcp 10.0.0.227:56884 -> 184.25.56.77:80
Flow 24 midstream: tcp 10.0.0.227:56917 -> 184.25.56.77:80
Flow 26 risky: udp 10.0.0.227:54851 -> 75.75.76.76:53
Flow 16 risky: udp 10.0.0.227:63107 -> 75.75.76.76:53
Flow 34 risky: udp 10.0.0.227:52879 -> 75.75.75.75:53
Flow 58 risky: udp 10.0.0.227:54107 -> 8.37.102.91:443
Flow 36 risky: udp 10.0.0.227:57017 -> 75.75.75.75:53
Flow 68 risky: udp 10.0.0.149:5353 -> 224.0.0.251:5353
Flow 35 risky: udp 10.0.0.227:59222 -> 75.75.75.75:53
Flow 33 risky: udp 10.0.0.227:57261 -> 75.75.75.75:53
Flow 3 risky: tcp 10.0.0.227:56320 -> 10.0.0.149:8009
Flow 3 midstream: tcp 10.0.0.227:56320 -> 10.0.0.149:8009
Flow 44 risky: tcp 10.0.0.227:56886 -> 17.57.144.116:5223
Flow 44 midstream: tcp 10.0.0.227:56886 -> 17.57.144.116:5223
Flow 15 risky: tcp 10.0.0.227:56919 -> 8.37.102.91:443
Flow 38 risky: tcp 10.0.0.227:56929 -> 8.37.102.91:443
Flow 62 risky: tcp 10.0.0.227:56954 -> 10.0.0.149:8008
Flow 63 risky: tcp 10.0.0.227:56955 -> 10.0.0.151:8060

5
test/results/flow-captured/default/anydesk.pcapng.out Normal file
View File

@@ -0,0 +1,5 @@
Flow 1 risky: tcp 192.168.149.129:36351 -> 51.83.239.144:80
Flow 1 midstream: tcp 192.168.149.129:36351 -> 51.83.239.144:80
Flow 2 risky: tcp 192.168.149.129:43535 -> 51.83.238.219:80
Flow 5 risky: tcp 192.168.1.187:54164 -> 192.168.1.178:7070
Flow 7 risky: tcp 192.168.1.128:48260 -> 195.181.174.176:443

0
test/results/flow-captured/default/avast.pcap.out Normal file
View File

0
test/results/flow-captured/default/avast_securedns.pcapng.out Normal file
View File

0
test/results/flow-captured/default/bacnet.pcap.out Normal file
View File

3
test/results/flow-captured/default/bad-dns-traffic.pcap.out Normal file
View File

@@ -0,0 +1,3 @@
Flow 2 risky: udp 192.168.43.91:56354 -> 4.2.2.4:53
Flow 1 risky: udp 192.168.43.91:35966 -> 4.2.2.4:53
Flow 3 risky: udp 192.168.43.91:46961 -> 4.2.2.4:53

0
test/results/flow-captured/default/badpackets.pcap.out Normal file
View File

0
test/results/flow-captured/default/bets.pcapng.out Normal file
View File

6
test/results/flow-captured/default/bitcoin.pcap.out Normal file
View File

@@ -0,0 +1,6 @@
Flow 2 midstream: tcp 192.168.1.142:55328 -> 69.118.54.122:8333
Flow 3 midstream: tcp 192.168.1.142:55348 -> 74.89.181.229:8333
Flow 4 midstream: tcp 192.168.1.142:55383 -> 66.68.83.22:8333
Flow 5 midstream: tcp 192.168.1.142:55400 -> 195.218.16.178:8333
Flow 6 midstream: tcp 192.168.1.142:55487 -> 184.58.165.119:8333
Flow 1 midstream: tcp 192.168.1.142:55317 -> 188.165.213.169:8333

46
test/results/flow-captured/default/bittorrent.pcap.out Normal file
View File

@@ -0,0 +1,46 @@
Flow 17 risky: tcp 192.168.1.3:52915 -> 198.100.146.9:60163
Flow 17 midstream: tcp 192.168.1.3:52915 -> 198.100.146.9:60163
Flow 2 risky: tcp 192.168.1.3:52887 -> 82.57.97.83:53137
Flow 2 midstream: tcp 192.168.1.3:52887 -> 82.57.97.83:53137
Flow 11 risky: tcp 192.168.1.3:52906 -> 82.57.97.83:53137
Flow 11 midstream: tcp 192.168.1.3:52906 -> 82.57.97.83:53137
Flow 3 midstream: tcp 192.168.1.3:52895 -> 83.216.184.241:51413
Flow 22 midstream: tcp 192.168.1.3:52927 -> 83.216.184.241:51413
Flow 21 risky: tcp 192.168.1.3:52922 -> 95.237.193.34:11321
Flow 21 midstream: tcp 192.168.1.3:52922 -> 95.237.193.34:11321
Flow 13 risky: tcp 192.168.1.3:52912 -> 151.72.255.163:59928
Flow 13 midstream: tcp 192.168.1.3:52912 -> 151.72.255.163:59928
Flow 6 risky: tcp 192.168.1.3:52897 -> 151.26.95.30:22673
Flow 6 midstream: tcp 192.168.1.3:52897 -> 151.26.95.30:22673
Flow 12 risky: tcp 192.168.1.3:52911 -> 151.26.95.30:22673
Flow 12 midstream: tcp 192.168.1.3:52911 -> 151.26.95.30:22673
Flow 20 risky: tcp 192.168.1.3:52921 -> 95.234.159.16:41205
Flow 20 midstream: tcp 192.168.1.3:52921 -> 95.234.159.16:41205
Flow 23 risky: tcp 192.168.1.3:52926 -> 93.65.249.100:31336
Flow 23 midstream: tcp 192.168.1.3:52926 -> 93.65.249.100:31336
Flow 24 risky: tcp 192.168.1.3:52925 -> 93.65.227.100:19116
Flow 24 midstream: tcp 192.168.1.3:52925 -> 93.65.227.100:19116
Flow 9 risky: tcp 192.168.1.3:52902 -> 190.103.195.56:46633
Flow 9 midstream: tcp 192.168.1.3:52902 -> 190.103.195.56:46633
Flow 18 risky: tcp 192.168.1.3:52914 -> 190.103.195.56:46633
Flow 18 midstream: tcp 192.168.1.3:52914 -> 190.103.195.56:46633
Flow 4 risky: tcp 192.168.1.3:52896 -> 79.53.228.2:14627
Flow 4 midstream: tcp 192.168.1.3:52896 -> 79.53.228.2:14627
Flow 14 risky: tcp 192.168.1.3:52909 -> 79.53.228.2:14627
Flow 14 midstream: tcp 192.168.1.3:52909 -> 79.53.228.2:14627
Flow 7 risky: tcp 192.168.1.3:52893 -> 79.55.129.22:12097
Flow 7 midstream: tcp 192.168.1.3:52893 -> 79.55.129.22:12097
Flow 16 risky: tcp 192.168.1.3:52908 -> 79.55.129.22:12097
Flow 16 midstream: tcp 192.168.1.3:52908 -> 79.55.129.22:12097
Flow 19 risky: tcp 192.168.1.3:52917 -> 151.15.48.189:47001
Flow 19 midstream: tcp 192.168.1.3:52917 -> 151.15.48.189:47001
Flow 8 risky: tcp 192.168.1.3:52903 -> 198.100.146.9:60163
Flow 8 midstream: tcp 192.168.1.3:52903 -> 198.100.146.9:60163
Flow 1 risky: tcp 192.168.1.3:52888 -> 82.58.216.115:38305
Flow 1 midstream: tcp 192.168.1.3:52888 -> 82.58.216.115:38305
Flow 10 risky: tcp 192.168.1.3:52907 -> 82.58.216.115:38305
Flow 10 midstream: tcp 192.168.1.3:52907 -> 82.58.216.115:38305
Flow 5 risky: tcp 192.168.1.3:52894 -> 120.62.33.241:39332
Flow 5 midstream: tcp 192.168.1.3:52894 -> 120.62.33.241:39332
Flow 15 risky: tcp 192.168.1.3:52910 -> 120.62.33.241:39332
Flow 15 midstream: tcp 192.168.1.3:52910 -> 120.62.33.241:39332

1
test/results/flow-captured/default/bittorrent_tcp_miss.pcapng.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: tcp 192.168.122.34:48987 -> 178.71.206.1:6881

1
test/results/flow-captured/default/bittorrent_utp.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 82.243.113.43:64969 -> 192.168.1.5:40959

0
test/results/flow-captured/default/bjnp.pcap.out Normal file
View File

1
test/results/flow-captured/default/bot.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: tcp 40.77.167.36:64768 -> 89.31.72.220:80

0
test/results/flow-captured/default/bt-dns.pcap.out Normal file
View File

0
test/results/flow-captured/default/bt-http.pcapng.out Normal file
View File

0
test/results/flow-captured/default/bt_search.pcap.out Normal file
View File

0
test/results/flow-captured/default/cachefly.pcapng.out Normal file
View File

0
test/results/flow-captured/default/can.pcap.out Normal file
View File

0
test/results/flow-captured/default/capwap.pcap.out Normal file
View File

0
test/results/flow-captured/default/capwap_data.pcapng.out Normal file
View File

0
test/results/flow-captured/default/cassandra.pcap.out Normal file
View File

0
test/results/flow-captured/default/check_mk_new.pcap.out Normal file
View File

0
test/results/flow-captured/default/chrome.pcap.out Normal file
View File

0
test/results/flow-captured/default/citrix.pcap.out Normal file
View File

0
test/results/flow-captured/default/cloudflare-warp.pcap.out Normal file
View File

7
test/results/flow-captured/default/coap_mqtt.pcap.out Normal file
View File

@@ -0,0 +1,7 @@
Flow 11 risky: tcp 192.168.56.1:53528 -> 192.168.56.101:17501
Flow 9 risky: tcp 192.168.56.1:53522 -> 192.168.56.101:17501
Flow 9 midstream: tcp 192.168.56.1:53522 -> 192.168.56.101:17501
Flow 10 risky: tcp 192.168.56.1:53523 -> 192.168.56.101:17501
Flow 10 midstream: tcp 192.168.56.1:53523 -> 192.168.56.101:17501
Flow 13 risky: tcp 192.168.56.101:17501 -> 192.168.56.1:53524
Flow 13 midstream: tcp 192.168.56.101:17501 -> 192.168.56.1:53524

0
test/results/flow-captured/default/collectd.pcap.out Normal file
View File

0
test/results/flow-captured/default/corba.pcap.out Normal file
View File

0
test/results/flow-captured/default/cpha.pcap.out Normal file
View File

1
test/results/flow-captured/default/crawler_false_positive.pcapng.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: tcp 192.168.12.156:38291 -> 93.184.220.29:80

0
test/results/flow-captured/default/crynet.pcap.out Normal file
View File

2
test/results/flow-captured/default/custom_categories.pcapng.out Normal file
View File

@@ -0,0 +1,2 @@
Flow 1 risky: tcp 2001:db8:1::1:64720 -> 2001:db8:200::1:20868
Flow 2 risky: tcp 172.26.219.44:58639 -> 172.30.69.103:22

2
test/results/flow-captured/default/custom_risk_mask.pcapng.out Normal file
View File

@@ -0,0 +1,2 @@
Flow 1 risky: udp fe80::7c0:e74e:87c3:5d93:6741 -> ff02::1:3:5355
Flow 2 risky: udp fe80::356b:e047:3695:f741:16765 -> ff02::1:3:5355

0
test/results/flow-captured/default/custom_rules_ipv6.pcapng.out Normal file
View File

0
test/results/flow-captured/default/custom_rules_same-ip_multiple_ports.pcapng.out Normal file
View File

0
test/results/flow-captured/default/dazn.pcapng.out Normal file
View File

0
test/results/flow-captured/default/dcerpc.pcap.out Normal file
View File

0
test/results/flow-captured/default/dhcp-fuzz.pcapng.out Normal file
View File

1
test/results/flow-captured/default/diameter.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 midstream: tcp 10.201.9.245:50957 -> 10.201.9.11:3868

0
test/results/flow-captured/default/discord.pcap.out Normal file
View File

0
test/results/flow-captured/default/discord_mid_flow.pcap.out Normal file
View File

0
test/results/flow-captured/default/dlt_ppp.pcap.out Normal file
View File

0
test/results/flow-captured/default/dnp3.pcap.out Normal file
View File

1
test/results/flow-captured/default/dns-exf.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 192.168.2.225:45290 -> 192.168.2.134:53

0
test/results/flow-captured/default/dns-google-nsid.pcapng.out Normal file
View File

1
test/results/flow-captured/default/dns-invalid-chars.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 127.0.0.1:35980 -> 127.0.0.1:53

1
test/results/flow-captured/default/dns-tunnel-iodine.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 10.0.2.30:44639 -> 10.0.2.20:53

1
test/results/flow-captured/default/dns2tcp_tunnel.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: tcp 192.168.20.211:44404 -> 1.1.1.1:443

1
test/results/flow-captured/default/dns_ambiguous_names.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 6 risky: udp 10.200.2.11:42790 -> 8.8.8.8:53

0
test/results/flow-captured/default/dns_doh.pcap.out Normal file
View File

0
test/results/flow-captured/default/dns_dot.pcap.out Normal file
View File

1
test/results/flow-captured/default/dns_exfiltration.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 192.168.220.56:56373 -> 192.168.203.167:53

9
test/results/flow-captured/default/dns_fragmented.pcap.out Normal file
View File

@@ -0,0 +1,9 @@
Flow 1 risky: udp 172.217.40.76:56680 -> 193.24.227.238:53
Flow 3 risky: udp 2a00:1450:4013:c06::105:63369 -> 2001:470:765b::a25:53:53
Flow 7 risky: udp 2a00:1450:4013:c05::10e:34944 -> 2001:470:765b::a25:53:53
Flow 4 risky: udp 173.194.169.104:59464 -> 193.24.227.238:53
Flow 6 risky: udp 74.125.47.136:59330 -> 193.24.227.238:53
Flow 5 risky: udp 2a00:1450:400c:c00::106:54430 -> 2001:470:765b::a25:53:53
Flow 2 risky: udp 2a00:1450:4013:c03::10a:46433 -> 2001:470:765b::a25:53:53
Flow 16 risky: udp 2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb:55729 -> 2001:470:765b::a25:53:53
Flow 17 risky: udp 194.247.5.6:51791 -> 193.24.227.238:53

0
test/results/flow-captured/default/dns_invert_query.pcapng.out Normal file
View File

1
test/results/flow-captured/default/dns_long_domainname.pcap.out Normal file
View File

@@ -0,0 +1 @@
Flow 1 risky: udp 192.168.1.168:65311 -> 8.8.8.8:53

0
test/results/flow-captured/default/dnscrypt-v1-and-resolver-pings.pcap.out Normal file
View File

38
test/results/flow-captured/default/dnscrypt-v2-doh.pcap.out Normal file
View File

@@ -0,0 +1,38 @@
Flow 29 risky: tcp 10.0.0.1:35714 -> 209.250.241.25:443
Flow 29 midstream: tcp 10.0.0.1:35714 -> 209.250.241.25:443
Flow 12 midstream: tcp 10.0.0.1:41720 -> 116.203.179.248:443
Flow 34 risky: tcp 10.0.0.1:35742 -> 209.250.241.25:443
Flow 34 midstream: tcp 10.0.0.1:35742 -> 209.250.241.25:443
Flow 25 risky: tcp 10.0.0.1:52028 -> 45.76.113.31:8443
Flow 25 midstream: tcp 10.0.0.1:52028 -> 45.76.113.31:8443
Flow 26 midstream: tcp 10.0.0.1:34036 -> 217.169.20.23:443
Flow 10 midstream: tcp 10.0.0.1:55322 -> 185.134.196.55:443
Flow 14 midstream: tcp 10.0.0.1:46658 -> 185.233.106.232:443
Flow 20 midstream: tcp 10.0.0.1:33724 -> 104.28.28.34:443
Flow 6 midstream: tcp 10.0.0.1:40938 -> 172.104.93.80:443
Flow 4 midstream: tcp 10.0.0.1:55962 -> 51.158.147.50:443
Flow 8 risky: tcp 10.0.0.1:38186 -> 185.43.135.1:443
Flow 8 midstream: tcp 10.0.0.1:38186 -> 185.43.135.1:443
Flow 13 midstream: tcp 10.0.0.1:60026 -> 195.30.94.28:443
Flow 31 midstream: tcp 10.0.0.1:57058 -> 46.227.200.54:443
Flow 17 midstream: tcp 10.0.0.1:44640 -> 185.235.81.1:443
Flow 21 midstream: tcp 10.0.0.1:53802 -> 1.0.0.1:443
Flow 28 midstream: tcp 10.0.0.1:54164 -> 193.70.85.11:443
Flow 27 midstream: tcp 10.0.0.1:43718 -> 146.255.56.98:443
Flow 33 midstream: tcp 10.0.0.1:44704 -> 185.235.81.1:443
Flow 18 midstream: tcp 10.0.0.1:43106 -> 116.202.176.26:443
Flow 9 midstream: tcp 10.0.0.1:51770 -> 9.9.9.10:443
Flow 32 midstream: tcp 10.0.0.1:51846 -> 9.9.9.10:443
Flow 30 midstream: tcp 10.0.0.1:43888 -> 95.216.229.153:443
Flow 11 midstream: tcp 10.0.0.1:52386 -> 51.15.124.208:443
Flow 19 midstream: tcp 10.0.0.1:59026 -> 85.5.93.230:443
Flow 23 midstream: tcp 10.0.0.1:52176 -> 136.144.215.158:443
Flow 22 midstream: tcp 10.0.0.1:33338 -> 45.90.28.0:443
Flow 15 risky: tcp 10.0.0.1:36012 -> 149.56.228.45:453
Flow 15 midstream: tcp 10.0.0.1:36012 -> 149.56.228.45:453
Flow 7 risky: tcp 10.0.0.1:37530 -> 167.114.220.125:453
Flow 7 midstream: tcp 10.0.0.1:37530 -> 167.114.220.125:453
Flow 3 midstream: tcp 10.0.0.1:50614 -> 185.95.218.42:443
Flow 24 midstream: tcp 10.0.0.1:39214 -> 104.28.0.106:443
Flow 16 midstream: tcp 10.0.0.1:38018 -> 45.153.187.96:443
Flow 5 midstream: tcp 10.0.0.1:59404 -> 185.253.154.66:443

0
test/results/flow-captured/default/dnscrypt-v2.pcap.out Normal file
View File

0
test/results/flow-captured/default/dnscrypt_skype_false_positive.pcapng.out Normal file
View File

Some files were not shown because too many files have changed in this diff Show More