Closed u-Map closed 8 years ago
Hi,
I see host names in [Host] filed of ndpireader output which are totally unrelated to destination or protocol classification. Please see some examples below. These are frequently seen in SSL and Bittorrent traffic.
2016-02-29 12:36:53 INFO | Src: UDP 192.168.200.17:54451 | Dest: 213.199.179.147:40014 | [proto: 125/Skype] | [1 pkts/192 bytes] | [Host: mail.google.com] | [SSL client: ] | [SSL server: ]
2016-02-29 12:36:59 INFO | Src: TCP 192.168.200.37:39516 | Dest: 222.165.168.219:443 | [proto: 91.119/SSL.Facebook] | [proto: 119/Facebook] | [4 pkts/763 bytes] | [Host: statsfe2.update.microsoft.com] | [SSL client: fbcdn-profile-a.akamaihd.net] | [SSL server: ]
2016-02-29 12:37:04 INFO | Src: TCP 192.168.200.11:51149 | Dest: 17.167.140.123:993 | [proto: 140/Apple] | [11 pkts/1315 bytes] | [Host: statsfe2.update.microsoft.com] | [SSL client: ] | [SSL server: ]
$ sudo ./ndpiReader -r ndpiReader - nDPI (1.7.1--0-)
Any idea on this?
Hi,
I see host names in [Host] filed of ndpireader output which are totally unrelated to destination or protocol classification. Please see some examples below. These are frequently seen in SSL and Bittorrent traffic.
2016-02-29 12:36:53 INFO | Src: UDP 192.168.200.17:54451 | Dest: 213.199.179.147:40014 | [proto: 125/Skype] | [1 pkts/192 bytes] | [Host: mail.google.com] | [SSL client: ] | [SSL server: ]
2016-02-29 12:36:59 INFO | Src: TCP 192.168.200.37:39516 | Dest: 222.165.168.219:443 | [proto: 91.119/SSL.Facebook] | [proto: 119/Facebook] | [4 pkts/763 bytes] | [Host: statsfe2.update.microsoft.com] | [SSL client: fbcdn-profile-a.akamaihd.net] | [SSL server: ]
2016-02-29 12:37:04 INFO | Src: TCP 192.168.200.11:51149 | Dest: 17.167.140.123:993 | [proto: 140/Apple] | [11 pkts/1315 bytes] | [Host: statsfe2.update.microsoft.com] | [SSL client: ] | [SSL server: ]
$ sudo ./ndpiReader -r ndpiReader - nDPI (1.7.1--0-)
Any idea on this?