Please provide a pcap file (full trace) so I can see what I can do Luca
> On 12 Mar 2015, at 15:29, Denys Fedoryshchenko <[email protected]> > wrote: > > The most challenging is that youtube app(and several others apps btw too) in > android doesn't use SNI for TLS/SSL, so i guess there is no reliable way to > detect if it's youtube or some other traffic going over same google server. > > On 2015-03-12 16:24, Luca Deri wrote: >> There is nothing special to do. If it does not work please provide a >> pcap file to test with >> Regards Luca >>> On 12 Mar 2015, at 13:35, Ming-Ching Tiew <[email protected]> wrote: >>> Sorry the mailer on mobile phone messed things up and I am >>> resending. >>> Thanks for the info, I will do further testing to find out why my >>> tests did not pick up youtube traffic over ssl. >>> Is the a compile options of nDPI where some missing libraries on my >>> test machine which could have caused this ? >>> ------------------------- >>> FROM: Luca Deri <[email protected]> >>> TO: [email protected]; Ming-Ching Tiew >>> <[email protected]> >>> SENT: Thursday, March 12, 2015 7:18 PM >>> SUBJECT: Re: [Ntop-misc] ndpi to support youtube over ssl ? >>> Not quite I have just tested it >>> 1 TCP 149.3.176.18:443 <-> 192.168.1.92:52002 [proto: >>> 124/YouTube][19 pkts/6626 bytes][SSL client: >>> r7---sn-nx5cvox-hpa6.googlevideo.com [1]] >>> 2 TCP 149.3.176.14:443 <-> 192.168.1.92:52004 [proto: >>> 124/YouTube][772 pkts/698990 bytes][SSL client: >>> r3---sn-nx5cvox-hpa6.googlevideo.com [1]] >>> 6 TCP 173.194.40.1:443 <-> 192.168.1.92:51983 [proto: >>> 124/YouTube][20 pkts/6100 bytes][SSL client: www.youtube.com [2]] >>> 7 TCP 173.194.40.6:443 <-> 192.168.1.92:51985 [proto: >>> 124/YouTube][22 pkts/6262 bytes][SSL client: s.ytimg.com [3]] >>> 8 TCP 173.194.40.6:443 <-> 192.168.1.92:51987 [proto: >>> 124/YouTube][20 pkts/6096 bytes][SSL client: s.ytimg.com [3]] >>> 9 TCP 173.194.40.6:443 <-> 192.168.1.92:51989 [proto: >>> 124/YouTube][20 pkts/6095 bytes][SSL client: s.ytimg.com [3]] >>> 11 TCP 173.194.40.8:443 <-> 192.168.1.92:52007 [proto: >>> 124/YouTube][39 pkts/9046 bytes][SSL client: >>> www.youtube-nocookie.com [4]] >>> 31 TCP 192.168.1.92:52027 <-> 74.125.6.183:443 [proto: >>> 124/YouTube][140 pkts/116031 bytes][SSL client: >>> r18---sn-5uaeznl7.googlevideo.com [5]] >>> 33 TCP 149.3.176.14:443 <-> 192.168.1.92:52003 [proto: >>> 124/YouTube][2378 pkts/2707249 bytes][SSL client: >>> r3---sn-nx5cvox-hpa6.googlevideo.com [1]] >>> 37 TCP 173.194.40.1:443 <-> 192.168.1.92:51982 [proto: >>> 124/YouTube][388 pkts/138593 bytes][SSL client: www.youtube.com [2]] >>> 38 TCP 173.194.40.6:443 <-> 192.168.1.92:51984 [proto: >>> 124/YouTube][2461 pkts/2010874 bytes][SSL client: s.ytimg.com [3]] >>> 39 TCP 173.194.40.6:443 <-> 192.168.1.92:51986 [proto: >>> 124/YouTube][20 pkts/6095 bytes][SSL client: s.ytimg.com [3]] >>> 40 TCP 173.194.40.6:443 <-> 192.168.1.92:51988 [proto: >>> 124/YouTube][20 pkts/6096 bytes][SSL client: s.ytimg.com [3]] >>> Regards Luca >>> On 12 Mar 2015, at 11:31, Ming-Ching Tiew <[email protected]> wrote: >>> Yes I test it, from ndpiReader and netfilter ndpi, both could not >>> see youtube over SSL. >>> Only SSL is detected, nothing is recorded for youtube when I watch >>> youtube over https. Btw, it's build 8598. >>> ------------------------- >>> FROM: Luca Deri <[email protected]> >>> TO: [email protected]; Ming-Ching Tiew >>> <[email protected]> >>> SENT: Thursday, March 12, 2015 6:08 PM >>> SUBJECT: Re: [Ntop-misc] ndpi to support youtube over ssl ? >>> Ming >>> did you test nDPI? >>> Luca >>> On 12 Mar 2015, at 09:46, Ming-Ching Tiew <[email protected]> wrote: >>> Is there a support for ndpi to detect youtube over ssl ? >>> Most of the youtube traffic today are carried over ssl. That >>> practically rendered vanilla youtube detection useless. >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc [6] >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc [6] >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> Links: >> ------ >> [1] http://sn-nx5cvox-hpa6.googlevideo.com/ >> [2] http://www.youtube.com/ >> [3] http://s.ytimg.com/ >> [4] http://www.youtube-nocookie.com/ >> [5] http://sn-5uaeznl7.googlevideo.com/ >> [6] http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
