HTTP: improve sub-classification (#1696)

Content-matched sub-protocols (DASH, IPP, MPEGDASH...) shouldn't ovewrite the previous master protocol (if any; usually HTTP). Furthermore. the HTTP dissector shouldn't update the classification (in the extra-dissection code path) if a content-matched sub-protocols has already been found. This commit should address the first part of the changes described in #1687.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2022-08-05 14:14:38 +0200
committer: GitHub <noreply@github.com> 2022-08-05 14:14:38 +0200
commit: c0732eda45884de91e0c221e9dd23eeec364bf68 (patch)
tree: 50a3146ccb9463fb4724fcf8268122d9bdccd371
parent: 346e274a1b1d713aedfc341f7d1300009f9f0e1a (diff)
12 files changed, 61 insertions, 48 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 355b9a086..4e7284748 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -84,6 +84,11 @@ extern "C" {
 				  u_int16_t lower_detected_protocol,
 				  ndpi_confidence_t confidence);
 
+  void ndpi_set_detected_protocol_keeping_master(struct ndpi_detection_module_struct *ndpi_str,
+						 struct ndpi_flow_struct *flow,
+						 u_int16_t detected_protocol,
+						 ndpi_confidence_t confidence);
+
   extern void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struct,
 					  struct ndpi_flow_struct *flow);
   extern void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7929b3b88..f8d88374f 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7063,6 +7063,22 @@ u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int
 
 /* ********************************************************************************* */
 
+void ndpi_set_detected_protocol_keeping_master(struct ndpi_detection_module_struct *ndpi_str,
+					       struct ndpi_flow_struct *flow,
+					       u_int16_t detected_protocol,
+					       ndpi_confidence_t confidence) {
+  u_int16_t master;
+
+  master = flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0];
+
+  if (master != NDPI_PROTOCOL_UNKNOWN)
+    ndpi_set_detected_protocol(ndpi_str, flow, detected_protocol, master, confidence);
+  else
+    ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_UNKNOWN, detected_protocol, confidence);
+}
+
+/* ********************************************************************************* */
+
 void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol,
 				ndpi_confidence_t confidence) {
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index 505f2ad16..b5ea1d1e6 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -109,7 +109,8 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc
   if(check_hash)
     ndpi_search_bittorrent_hash(ndpi_struct, flow, bt_offset);
 
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, confidence);
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT,
+					    confidence);
   
   if(flow->protos.bittorrent.hash[0] == '\0') {
     /* This is necessary to inform the core to call this dissector again */
diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c
index 7f6656424..a5ab04c3c 100644
--- a/src/lib/protocols/gnutella.c
+++ b/src/lib/protocols/gnutella.c
@@ -33,8 +33,9 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct
 					     struct ndpi_flow_struct *flow,
 					     ndpi_confidence_t confidence)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN, confidence);
   NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n");
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA,
+					    confidence);
 }
 
 void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 48a80dd9a..a403118f2 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -344,9 +344,6 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
   if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN))
      return; /* Nothing new to add */
 
-  /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */
-  ndpi_search_tcp_or_udp(ndpi_struct, flow);
-
   /* If no custom protocol has been detected */
   if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)
      || ((http_protocol != NDPI_PROTOCOL_HTTP) &&
@@ -363,9 +360,14 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
           flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY)
     master_protocol = flow->detected_protocol_stack[0];
 
-  ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
-			     master_protocol,
-			     NDPI_CONFIDENCE_DPI);
+  /* Update the classification only if we don't already have master + app;
+     for example don't change the protocols if we have already detected a
+     sub-protocol via the (content-matched) subprotocols logic (i.e.
+     MPEGDASH, SOAP, ....) */
+  if(flow->detected_protocol_stack[1] == 0)
+    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
+			       master_protocol,
+			       NDPI_CONFIDENCE_DPI);
 
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
diff --git a/src/lib/protocols/mpegdash.c b/src/lib/protocols/mpegdash.c
index 0e2ac1944..147057ac3 100644
--- a/src/lib/protocols/mpegdash.c
+++ b/src/lib/protocols/mpegdash.c
@@ -31,15 +31,9 @@
 static void ndpi_int_mpegdash_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
                                              struct ndpi_flow_struct *flow)
 {
-  if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN ||
-      flow->guessed_host_protocol_id == NDPI_PROTOCOL_HTTP)
-  {
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGDASH, NDPI_PROTOCOL_HTTP,
-                               NDPI_CONFIDENCE_DPI);
-  } else {
-    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_MPEGDASH,
-                               NDPI_CONFIDENCE_DPI);
-  }
+  NDPI_LOG_INFO(ndpi_struct, "found MpegDash\n");
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_MPEGDASH,
+					    NDPI_CONFIDENCE_DPI);
 }
 
 void ndpi_search_mpegdash_http(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c
index c6a8b1f26..f49530ecf 100644
--- a/src/lib/protocols/rtsp.c
+++ b/src/lib/protocols/rtsp.c
@@ -30,10 +30,10 @@
 
 
 static void ndpi_int_rtsp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
-					 struct ndpi_flow_struct *flow/* , */
-					 /* ndpi_protocol_type_t protocol_type */)
+					 struct ndpi_flow_struct *flow)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_RTSP,
+					    NDPI_CONFIDENCE_DPI);
 }
 
 /* this function searches for a rtsp-"handshake" over tcp or udp. */
diff --git a/src/lib/protocols/soap.c b/src/lib/protocols/soap.c
index a2504f15c..82e2ab428 100644
--- a/src/lib/protocols/soap.c
+++ b/src/lib/protocols/soap.c
@@ -27,14 +27,9 @@
 static void ndpi_int_soap_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
                                          struct ndpi_flow_struct *flow)
 {
-  if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_HTTP)
-  {
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_HTTP,
-                               NDPI_CONFIDENCE_DPI);
-  } else {
-    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_SOAP,
-                               NDPI_CONFIDENCE_DPI);
-  }
+  NDPI_LOG_INFO(ndpi_struct, "found Soap\n");
+  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_SOAP,
+					    NDPI_CONFIDENCE_DPI);
 }
 
 void ndpi_search_soap(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index c56475681..a29207464 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -1,4 +1,4 @@
-Guessed flow protos:	24
+Guessed flow protos:	25
 
 DPI Packets (TCP):	415	(4.23 pkts/flow)
 DPI Packets (UDP):	120	(1.21 pkts/flow)
@@ -39,8 +39,9 @@ Facebook	19	6840	2
 Google	33	54701	5
 LLMNR	91	6931	48
 GoogleServices	17	30330	1
-AmazonAWS	265	845607	20
+AmazonAWS	264	845308	19
 Tencent	1	571	1
+MpegDash	1	299	1
 1kxun	1209	3841345	48
 
 JA3 Host Stats: 
@@ -166,7 +167,7 @@ JA3 Host Stats:
 	116	TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][4 pkts/220 bytes <-> 2 pkts/132 bytes][Goodput ratio: 2/0][45.01 sec][bytes ratio: 0.250 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/45002 14999/45002 44996/45002 21211/0][Pkt Len c2s/s2c min/avg/max/stddev: 55/66 55/66 55/66 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	117	UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Hostname/SNI: joanna-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (Joanna)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	118	UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Hostname/SNI: kevin-pc][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,121,249,43,252][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (MSFT 5.07)][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	119	TCP 192.168.2.126:35666 -> 18.66.2.90:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/299 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Hostname/SNI: cdn.liftoff.io][User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build/RSR1.201013.001)][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /customers/45)][Plen Bins: 0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	119	TCP 192.168.2.126:35666 -> 18.66.2.90:80 [proto: 7.291/HTTP.MpegDash][ClearText][Confidence: DPI][cat: Media/1][1 pkts/299 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Hostname/SNI: cdn.liftoff.io][URL: cdn.liftoff.io/customers/45d4b09eba/videos/mobile/fd5692dd53042b199e03.mp4][StatusCode: 0][User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build/RSR1.201013.001)][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /customers/45)][Plen Bins: 0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	120	UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.295/DNS.1kxun][ClearText][Confidence: DPI][cat: Streaming/17][2 pkts/146 bytes <-> 1 pkts/137 bytes][Goodput ratio: 42/69][0.05 sec][Hostname/SNI: pic.1kxun.com][106.187.35.246][Plen Bins: 66,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	121	UDP 192.168.0.104:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][ClearText][Confidence: DPI][cat: System/18][3 pkts/276 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.54 sec][Hostname/SNI: sc.arrancar.org][PLAIN TEXT ( FDEDCOEBFC)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	122	UDP 192.168.115.8:51024 <-> 8.8.8.8:53 [proto: 5.295/DNS.1kxun][ClearText][Confidence: DPI][cat: Streaming/17][2 pkts/160 bytes <-> 1 pkts/112 bytes][Goodput ratio: 47/62][0.02 sec][Hostname/SNI: jp.kankan.1kxun.mobi][106.185.35.110][PLAIN TEXT (kankan)][Plen Bins: 0,66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/gnutella.pcap.out b/tests/result/gnutella.pcap.out
index 79f871d2a..1d2f7c300 100644
--- a/tests/result/gnutella.pcap.out
+++ b/tests/result/gnutella.pcap.out
@@ -1,13 +1,13 @@
 Guessed flow protos:	597
 
-DPI Packets (TCP):	522	(3.81 pkts/flow)
+DPI Packets (TCP):	528	(3.85 pkts/flow)
 DPI Packets (UDP):	1232	(2.01 pkts/flow)
 DPI Packets (other):	10	(1.00 pkts/flow)
 Confidence Unknown          : 595 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 163 (flows)
-Num dissector calls: 64253 (84.54 diss/flow)
+Num dissector calls: 64265 (84.56 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -46,15 +46,15 @@ JA3 Host Stats:
 	1	 10.0.2.15                	 1      
 
 
-	1	TCP 10.0.2.15:50327 <-> 69.118.162.229:46906 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][673 pkts/38650 bytes <-> 1683 pkts/2280370 bytes][Goodput ratio: 6/96][431.96 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.967 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 538/225 9653/1135 666/419][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57/1355 587/1514 40/279][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** HTTP Numeric IP Address **** Unsafe Protocol **][Risk Score: 20][Risk Info: Found host 69.118.162.229][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0]
-	2	TCP 10.0.2.15:50328 <-> 189.147.72.83:26108 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][420 pkts/23742 bytes <-> 831 pkts/1095030 bytes][Goodput ratio: 4/96][422.59 sec][Hostname/SNI: 189.147.72.83][bytes ratio: -0.958 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 1002/479 1310/1219 140/510][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57/1318 592/1514 36/217][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** HTTP Numeric IP Address **** Unsafe Protocol **][Risk Score: 20][Risk Info: Found host 189.147.72.83][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	1	TCP 10.0.2.15:50327 <-> 69.118.162.229:46906 [proto: 7.35/HTTP.Gnutella][ClearText][Confidence: DPI][cat: Media/1][673 pkts/38650 bytes <-> 1683 pkts/2280370 bytes][Goodput ratio: 6/96][431.96 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.967 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 538/225 9653/1135 666/419][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57/1355 587/1514 40/279][URL: 69.118.162.229:46906/uri-res/N2R?urn:sha1:LXIP2A72T5H3BU3GRUMZFYNU3OYDK6FI][StatusCode: 206][Content-Type: audio/mpeg][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Known Proto on Non Std Port **** HTTP Numeric IP Address **** Unsafe Protocol **][Risk Score: 70][Risk Info: Found host 69.118.162.229][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0]
+	2	TCP 10.0.2.15:50328 <-> 189.147.72.83:26108 [proto: 7.35/HTTP.Gnutella][ClearText][Confidence: DPI][cat: Media/1][420 pkts/23742 bytes <-> 831 pkts/1095030 bytes][Goodput ratio: 4/96][422.59 sec][Hostname/SNI: 189.147.72.83][bytes ratio: -0.958 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 1002/479 1310/1219 140/510][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 57/1318 592/1514 36/217][URL: 189.147.72.83:26108/uri-res/N2R?urn:sha1:LXIP2A72T5H3BU3GRUMZFYNU3OYDK6FI][StatusCode: 206][Content-Type: audio/mpeg][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Known Proto on Non Std Port **** HTTP Numeric IP Address **** Unsafe Protocol **][Risk Score: 70][Risk Info: Found host 189.147.72.83][PLAIN TEXT (GET /uri)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49,0,0,0,0,0,0,0,0,0,0,50,0,0]
 	3	TCP 10.0.2.15:50284 <-> 104.156.226.72:53258 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][182 pkts/12456 bytes <-> 183 pkts/50754 bytes][Goodput ratio: 21/81][504.99 sec][bytes ratio: -0.606 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2737/2652 27658/29635 5861/5897][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/277 654/1078 50/396][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 69,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,27,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 10.0.2.15:50285 <-> 75.133.101.93:52367 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][153 pkts/10889 bytes <-> 159 pkts/25403 bytes][Goodput ratio: 24/66][505.01 sec][bytes ratio: -0.400 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3311/2989 31483/31436 6322/5994][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/160 653/1514 54/290][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 80,3,0,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]
 	5	TCP 10.0.2.15:50312 <-> 104.238.172.250:23548 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][146 pkts/10497 bytes <-> 149 pkts/15445 bytes][Goodput ratio: 25/48][502.88 sec][bytes ratio: -0.191 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3325/3112 28295/28349 6532/6371][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 72/104 655/1078 56/155][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 82,3,2,7,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	TCP 10.0.2.15:50300 <-> 188.61.52.183:11852 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][66 pkts/6593 bytes <-> 69 pkts/10484 bytes][Goodput ratio: 46/64][502.91 sec][bytes ratio: -0.228 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 8559/7533 32308/32351 8859/8516][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 100/152 653/1514 91/201][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 1,43,9,6,26,4,0,1,1,0,1,1,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]
 	7	UDP [fe80::c50d:519f:96a4:e108]:63958 -> [ff02::c]:3702 [proto: 153/WSD][ClearText][Confidence: DPI][cat: Network/14][14 pkts/15504 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][586.41 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 21/0 48849/0 583774/0 161286/0][Pkt Len c2s/s2c min/avg/max/stddev: 834/0 1107/0 1153/0 112/0][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	UDP 10.0.2.15:63957 -> 239.255.255.250:3702 [proto: 153/WSD][ClearText][Confidence: DPI][cat: Network/14][13 pkts/14194 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][586.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 21/0 53286/0 583775/0 167755/0][Pkt Len c2s/s2c min/avg/max/stddev: 814/0 1092/0 1115/0 80/0][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	9	TCP 10.0.2.15:50330 <-> 69.118.162.229:46906 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][9 pkts/1011 bytes <-> 12 pkts/11017 bytes][Goodput ratio: 51/94][3.38 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 388/240 1119/1115 493/448][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 112/918 567/1514 161/644][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** HTTP Numeric IP Address **** Unsafe Protocol **][Risk Score: 20][Risk Info: Found host 69.118.162.229][PLAIN TEXT (GET /gnutella/thex/v1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,55,0,0]
+	9	TCP 10.0.2.15:50330 <-> 69.118.162.229:46906 [proto: 7.35/HTTP.Gnutella][ClearText][Confidence: DPI][cat: Download/7][9 pkts/1011 bytes <-> 12 pkts/11017 bytes][Goodput ratio: 51/94][3.38 sec][Hostname/SNI: 69.118.162.229][bytes ratio: -0.832 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 388/240 1119/1115 493/448][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 112/918 567/1514 161/644][URL: 69.118.162.229:46906/gnutella/thex/v1?urn:tree:tiger/:3WMUS6WM2ZC7XIPRQDKXWHHJRV4IKYC4OX4ELCA&depth=9&ed2k=1][StatusCode: 200][Content-Type: application/dime][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Known Proto on Non Std Port **** HTTP Numeric IP Address **** Unsafe Protocol **][Risk Score: 70][Risk Info: Found host 69.118.162.229][PLAIN TEXT (GET /gnutella/thex/v1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,55,0,0]
 	10	TCP 10.0.2.15:50248 <-> 109.214.154.216:6346 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][45 pkts/3196 bytes <-> 54 pkts/8256 bytes][Goodput ratio: 24/65][522.53 sec][bytes ratio: -0.442 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/1 12254/10032 54436/54424 15860/15019][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 71/153 358/1078 50/183][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 56,1,12,5,3,1,1,7,3,1,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	11	TCP 10.0.2.15:50249 <-> 86.208.180.181:45883 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][43 pkts/3087 bytes <-> 47 pkts/7704 bytes][Goodput ratio: 24/67][522.17 sec][bytes ratio: -0.428 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 11973/13240 47909/55396 14672/15777][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 72/164 357/1119 51/213][User-Agent: gtk-gnutella/1.2.2 (2022-02-25; GTK2; Windows x64)][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (GNUTELLA CONNECT/0.6)][Plen Bins: 57,0,4,6,4,4,4,2,6,2,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	12	UDP 10.0.2.15:28681 <-> 80.61.221.246:30577 [proto: 35/Gnutella][ClearText][Confidence: DPI][cat: Download/7][9 pkts/1185 bytes <-> 9 pkts/5195 bytes][Goodput ratio: 68/93][197.38 sec][bytes ratio: -0.629 (Download)][IAT c2s/s2c min/avg/max/stddev: 39/35 26439/26440 107210/107216 34356/34358][Pkt Len c2s/s2c min/avg/max/stddev: 70/148 132/577 274/769 53/274][Risk: ** Unsafe Protocol **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (u.GTKG)][Plen Bins: 5,5,33,11,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/mpeg-dash.pcap.out b/tests/result/mpeg-dash.pcap.out
index 19277ad3a..30c2174e9 100644
--- a/tests/result/mpeg-dash.pcap.out
+++ b/tests/result/mpeg-dash.pcap.out
@@ -1,6 +1,6 @@
-Guessed flow protos:	0
+Guessed flow protos:	3
 
-DPI Packets (TCP):	10	(2.50 pkts/flow)
+DPI Packets (TCP):	13	(3.25 pkts/flow)
 Confidence DPI              : 4 (flows)
 Num dissector calls: 64 (16.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
@@ -19,10 +19,9 @@ Patricia risk mask:   8/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia protocols:   10/6 (search/found)
 
-AmazonAWS	9	2693	3
-MpegDash	4	1976	1
+MpegDash	13	4669	4
 
 	1	TCP 10.84.1.81:60926 <-> 166.248.152.10:80 [proto: 7.291/HTTP.MpegDash][ClearText][Confidence: DPI][cat: Media/1][2 pkts/456 bytes <-> 2 pkts/1520 bytes][Goodput ratio: 72/92][0.30 sec][Hostname/SNI: gdl.news-cdn.site][URL: gdl.news-cdn.site/as/bigo-ad-creatives/3s3/2lOTA7.mp4][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; SM-A715F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.105 Mobile Safari/537.36][Risk: ** Suspicious DGA Domain name **][Risk Score: 100][Risk Info: gdl.news-cdn.site][PLAIN TEXT (GET /as/bigo)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0]
-	2	TCP 54.161.101.85:80 <-> 192.168.2.105:59144 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Media/1][2 pkts/1649 bytes <-> 2 pkts/323 bytes][Goodput ratio: 92/59][0.01 sec][PLAIN TEXT (OHTTP/1.1 200 OK)][Plen Bins: 0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0]
-	3	TCP 192.168.2.105:59142 <-> 54.161.101.85:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][3 pkts/390 bytes <-> 1 pkts/74 bytes][Goodput ratio: 47/0][0.10 sec][Hostname/SNI: livesim.dashif.org][User-Agent: VLC/3.0.16 LibVLC/3.0.16][PLAIN TEXT (IGET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	TCP 192.168.2.105:59146 -> 54.161.101.85:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/257 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Hostname/SNI: livesim.dashif.org][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 54.161.101.85:80 <-> 192.168.2.105:59144 [proto: 7.291/HTTP.MpegDash][ClearText][Confidence: DPI][cat: Media/1][2 pkts/1649 bytes <-> 2 pkts/323 bytes][Goodput ratio: 92/59][0.01 sec][PLAIN TEXT (OHTTP/1.1 200 OK)][Plen Bins: 0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0]
+	3	TCP 192.168.2.105:59142 <-> 54.161.101.85:80 [proto: 7.291/HTTP.MpegDash][ClearText][Confidence: DPI][cat: Media/1][3 pkts/390 bytes <-> 1 pkts/74 bytes][Goodput ratio: 47/0][0.10 sec][Hostname/SNI: livesim.dashif.org][URL: livesim.dashif.org/livesim/sts_1652783809/sid_40c11e12/chunkdur_1/ato_7/testpic4_8s/A48/init.mp4][StatusCode: 0][User-Agent: VLC/3.0.16 LibVLC/3.0.16][PLAIN TEXT (IGET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 192.168.2.105:59146 -> 54.161.101.85:80 [proto: 7.291/HTTP.MpegDash][ClearText][Confidence: DPI][cat: Media/1][1 pkts/257 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Hostname/SNI: livesim.dashif.org][URL: livesim.dashif.org/livesim/sts_1652783809/sid_40c11e12/chunkdur_1/ato_7/testpic4_8s/V2400/206598099.m4s][StatusCode: 0][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (GET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/soap.pcap.out b/tests/result/soap.pcap.out
index 797519e6d..3126c74cb 100644
--- a/tests/result/soap.pcap.out
+++ b/tests/result/soap.pcap.out
@@ -1,4 +1,4 @@
-Guessed flow protos:	1
+Guessed flow protos:	2
 
 DPI Packets (TCP):	20	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
@@ -14,16 +14,15 @@ LRU cache msteams:    0/0/0 (insert/search/found)
 Automa host:          2/2 (search/found)
 Automa domain:        1/0 (search/found)
 Automa tls cert:      0/0 (search/found)
-Automa risk mask:     0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
 Automa common alpns:  0/0 (search/found)
 Patricia risk mask:   6/0 (search/found)
 Patricia risk:        2/0 (search/found)
 Patricia protocols:   16/0 (search/found)
 
 HTTP	14	5498	1
-Microsoft	1	1506	1
-SOAP	5	3944	1
+SOAP	6	5450	2
 
 	1	TCP 192.168.2.100:50100 <-> 23.2.213.165:80 [proto: 7/HTTP][ClearText][Confidence: Match by port][cat: Web/5][7 pkts/4746 bytes <-> 7 pkts/752 bytes][Goodput ratio: 92/39][5.01 sec][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 989/1236 2486/2486 1098/1096][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 678/107 1506/362 717/104][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0]
 	2	TCP 185.32.192.30:80 <-> 85.154.114.113:56028 [VLAN: 808][proto: 253/SOAP][ClearText][Confidence: DPI][cat: RPC/16][3 pkts/2487 bytes <-> 2 pkts/1457 bytes][Goodput ratio: 92/92][0.34 sec][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.2.100:50100 -> 23.2.213.165:4176 [proto: 253.212/SOAP.Microsoft][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Hostname/SNI: go.microsoft.com][User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]
+	3	TCP 192.168.2.100:50100 -> 23.2.213.165:4176 [proto: 7.253/HTTP.SOAP][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Hostname/SNI: go.microsoft.com][URL: go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409][StatusCode: 0][Req Content-Type: text/xml][User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2022-08-05 14:14:38 +0200
committer	GitHub <noreply@github.com>	2022-08-05 14:14:38 +0200
commit	c0732eda45884de91e0c221e9dd23eeec364bf68 (patch)
tree	50a3146ccb9463fb4724fcf8268122d9bdccd371
parent	346e274a1b1d713aedfc341f7d1300009f9f0e1a (diff)