mmanoj

I saw a communication to Dest Port 50053 and TLS communication having below bytes pattern cc 1c 30 41 5b a4 38 66 99 6f eb a3 ff c3 dd...

@utoni Thanks for the feedback,I will check and update the results. Also, I found some research papers which help to detect Ultrasurf. I will email you. Please share your email.

Detected protocols: Unknown packets: 705 bytes: 76642 flows: 31 DNS packets: 9 bytes: 1239 flows: 5 Yahoo packets: 45 bytes: 22758 flows: 1 ICMP packets: 67 bytes: 5153 flows: 5...

Reading packets from pcap file ../../../PktCaptures/UltraSurf_rx_02.pcap... **UltraSurf** packets: 2971 bytes: 2991918 flows: 1 5 **TCP 65.49.68.25:50053 10.132.0.23:37898** [VLAN: 200][proto: 301/**UltraSurf**][Encrypted][Confidence: DPI][cat: VPN/2][1802 pkts/2867775 bytes 1169 pkts/124143 bytes][Goodput ratio: 96/19][46.77 sec][bytes...

Yes, Post PCAPS was detected. I'm testing with fresh capture and update you the results asap. Also, I'm reverse engineering the apk to check the communications, and IP addresses will...

Pls find the latest captures, it didn't detect [ultra_rx_20220707_052251_86723.zip](https://github.com/ntop/nDPI/files/9061227/ultra_rx_20220707_052251_86723.zip) I saw some pattern 17 03 03 but in random locations.

Hi @utoni , Please find my latest analysis below with attached dumps with various PCAPS. I found the below pattern more reliable. **16 03 01** 02 00 01 00 01...

[ultraSurf_pcapDumpAnalysys.zip](https://github.com/ntop/nDPI/files/9065314/ultraSurf_pcapDumpAnalysys.zip)

I can see it's in most of the communication happened, any other suggestions to detect? I'm working on sequence diagram of communication flow of the ultradutf to more understand.i also...

@utoni Any other suggestions to detect the Ultrasurf? I'm still analyzing possible methods and trying to figure out the communication pattern/domain fronting etc.