From 797dce3dc2647c7e25d4d61884d031833d7a28b6 Mon Sep 17 00:00:00 2001
From: Toby <tobyxdd@gmail.com>
Date: Mon, 26 Feb 2024 15:27:35 -0800
Subject: [PATCH] feat: update FET analyzer to better reflect what's described
 in the paper

---
 analyzer/tcp/fet.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/analyzer/tcp/fet.go b/analyzer/tcp/fet.go
index 2022d7a..8b727f5 100644
--- a/analyzer/tcp/fet.go
+++ b/analyzer/tcp/fet.go
@@ -143,8 +143,11 @@ func isTLSorHTTP(bytes []byte) bool {
 	if len(bytes) < 3 {
 		return false
 	}
-	if bytes[0] == 0x16 && bytes[1] == 0x03 && bytes[2] <= 0x03 {
-		// TLS handshake for TLS 1.0-1.3
+	// "We observe that the GFW exempts any connection whose first
+	// three bytes match the following regular expression:
+	// [\x16-\x17]\x03[\x00-\x09]" - from the paper in Section 4.3
+	if bytes[0] >= 0x16 && bytes[0] <= 0x17 &&
+		bytes[1] == 0x03 && bytes[2] <= 0x09 {
 		return true
 	}
 	// HTTP request