Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated

All heuristics are disabled by default.

32 files changed, 932 insertions, 14 deletions

diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
index fee2e5e6d..6e1b0a559 100644
--- a/doc/configuration_parameters.md
+++ b/doc/configuration_parameters.md
@@ -26,6 +26,8 @@ TODO
 | NULL         | "lru.$CACHE_NAME.scope"                   | 0             | 0         | 1         | Set the scope of the specified LRU cache (0 = the cache is local, 1 = the cache is global). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, stun, tls_cert, mining, msteams, fpc_dns. The global scope con be set only if a global context has been initialized |
 | "tls"        | "certificate_expiration_threshold"        | 30            | 0         | 365       | The threshold (in days) used to trigger the `NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE` flow risk |
 | "tls"        | "application_blocks_tracking"             | disable       | NULL      | NULL      | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow |
+| "tls  "      | "dpi.heuristics",                         | 0x00          | 0x00      | 0x07      | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting |
+| "tls  "      | "dpi.heuristics.max_packets_extra_dissection",  | 25            | 0         | 255       | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. |
 | "tls"        | "metadata.sha1_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked |
 | "tls"        | "metadata.ja3c_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_JA3` is not checked |
 | "tls"        | "metadata.ja3s_fingerprint"               | enable        | NULL      | NULL      | Enable/disable computation and export of JA3S fingerprint for TLS flows |
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 207056785..32b7399cd 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -5951,6 +5951,25 @@ void memmemUnitTest(void) {
 
 /* *********************************************** */
 
+void mahalanobisUnitTest()
+{
+  /* Example based on: https://supplychenmanagement.com/2019/03/06/calculating-mahalanobis-distance/ */
+
+  const float i_s[3 * 3] = {  0.0482486100061447, -0.00420645518018837, -0.0138921893248235,
+                             -0.00420645518018836, 0.00177288408892603, -0.00649813703331057,
+                             -0.0138921893248235, -0.00649813703331056,  0.066800436339011 }; /* Inverted covar matrix */
+  const float u[3] = { 22.8, 180.0, 9.2 }; /* Means vector */
+  u_int32_t x[3] = { 26, 167, 12 }; /* Point */
+  float md;
+
+  md = ndpi_mahalanobis_distance(x, 3, u, i_s);
+  /* It is a bit tricky to test float equality on different archs -> loose check.
+   * md sholud be 1.3753 */
+  assert(md >= 1.37 && md <= 1.38);
+}
+
+/* *********************************************** */
+
 void filterUnitTest() {
   ndpi_filter* f = ndpi_filter_alloc();
   u_int32_t v, i;
@@ -6440,6 +6459,7 @@ int main(int argc, char **argv) {
     strnstrUnitTest();
     strncasestrUnitTest();
     memmemUnitTest();
+    mahalanobisUnitTest();
 #endif
   }
 
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index a23b74c30..0e8dda18d 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -130,6 +130,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     ndpi_get_config(ndpi_info_mod, "tls", "application_blocks_tracking", cfg_value, sizeof(cfg_value));
   }
   if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 0x07 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "dpi.heuristics", cfg_value);
+    value = fuzzed_data.ConsumeIntegralInRange(0, 255 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "dpi.heuristics.max_packets_extra_dissection", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     snprintf(cfg_value, sizeof(cfg_value), "%d", value);
     ndpi_set_config(ndpi_info_mod, "tls", "metadata.sha1_fingerprint", cfg_value);
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
index 2db6f696b..784e506d9 100644
--- a/fuzz/fuzz_ndpi_reader.c
+++ b/fuzz/fuzz_ndpi_reader.c
@@ -92,6 +92,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
     ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1");
     ndpi_set_config(workflow->ndpi_struct, "openvpn", "dpi.heuristics", "0x01");
     ndpi_set_config(workflow->ndpi_struct, "openvpn", "dpi.heuristics.num_messages", "255");
+    ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics", "0x07");
+    ndpi_set_config(workflow->ndpi_struct, "tls", "dpi.heuristics.max_packets_extra_dissection", "255");
 
     ndpi_finalize_initialization(workflow->ndpi_struct);
 
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index ae1540dc6..d2ba9816e 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1853,6 +1853,11 @@ extern "C" {
 
   /* ******************************* */
 
+  /* Mahalanobis distance (https://en.wikipedia.org/wiki/Mahalanobis_distance) between a point x and a distribution with mean u and inverted covariant matrix i_s */
+  float ndpi_mahalanobis_distance(const u_int32_t *x, u_int32_t size, const float *u, const float *i_s);
+
+  /* ******************************* */
+
   int  ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int16_t num_bins);
   void ndpi_free_bin(struct ndpi_bin *b);
   struct ndpi_bin* ndpi_clone_bin(struct ndpi_bin *b);
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index be142717b..0bb3af0f1 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -121,6 +121,7 @@ struct ndpi_packet_struct {
   struct ndpi_int_one_line_struct http_origin;
   struct ndpi_int_one_line_struct server_line;
   struct ndpi_int_one_line_struct http_method;
+  struct ndpi_int_one_line_struct upgrade_line;
   struct ndpi_int_one_line_struct http_response; /* the first "word" in this pointer is the
 						    response code in the packet (200, etc) */
 
@@ -233,6 +234,8 @@ struct ndpi_detection_module_config_struct {
 
   int tls_certificate_expire_in_x_days;
   int tls_app_blocks_tracking_enabled;
+  int tls_heuristics;
+  int tls_heuristics_max_packets;
   int tls_sha1_fingerprint_enabled;
   int tls_ja3c_fingerprint_enabled;
   int tls_ja3s_fingerprint_enabled;
@@ -642,7 +645,8 @@ void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
 int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len);
 void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow);
-
+void switch_extra_dissection_to_tls_obfuscated_heur(struct ndpi_detection_module_struct* ndpi_struct,
+                                                    struct ndpi_flow_struct* flow);
 /* HTTP */
 void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct,
                              struct ndpi_flow_struct *flow,
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index b095ca221..fc0a2cf16 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -795,6 +795,11 @@ struct ndpi_lru_cache {
 /* OpenVPN */
 #define NDPI_HEURISTICS_OPENVPN_OPCODE			0x01 /* Enable heuristic based on opcode frequency */
 
+/* TLS */
+#define NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN		0x01 /* Enable heuristic to detect proxied/obfuscated TLS flows over generic/unknown flows */
+#define NDPI_HEURISTICS_TLS_OBFUSCATED_TLS		0x02 /* Enable heuristic to detect proxied/obfuscated TLS flows over TLS tunnels, i.e. TLS over TLS */
+#define NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP		0x04 /* Enable heuristic to detect proxied/obfuscated TLS flows over HTTP/WebSocket */
+
 
 /* ************************************************** */
 
@@ -1304,6 +1309,7 @@ struct ndpi_flow_struct {
   struct {
     ndpi_http_method method;
     u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */
+    u_int8_t websocket:1, _pad:7;
     u_int16_t response_status_code; /* 200, 404, etc. */
     char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent, *server;
     char *detected_os; /* Via HTTP/QUIC User-Agent */
@@ -1330,7 +1336,8 @@ struct ndpi_flow_struct {
 
   struct {
     message_t message[2]; /* Directions */
-    u_int8_t certificate_processed:1, _pad:7;
+    u_int8_t certificate_processed:1, change_cipher_from_client:1, change_cipher_from_server:1, from_opportunistic_tls:1, pad:4;
+    struct tls_obfuscated_heuristic_state *obfuscated_heur_state;
   } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS/FTPS */
 
   union {
@@ -1549,7 +1556,7 @@ struct ndpi_flow_struct {
   /* Flow payload */
   u_int16_t flow_payload_len;
   char *flow_payload;
-  
+
   /* 
      Leave this field below at the end
      The field below can be used by third
@@ -1563,8 +1570,8 @@ struct ndpi_flow_struct {
 _Static_assert(sizeof(((struct ndpi_flow_struct *)0)->protos) <= 264,
                "Size of the struct member protocols increased to more than 264 bytes, "
                "please check if this change is necessary.");
-_Static_assert(sizeof(struct ndpi_flow_struct) <= 1152,
-               "Size of the flow struct increased to more than 1152 bytes, "
+_Static_assert(sizeof(struct ndpi_flow_struct) <= 1160,
+               "Size of the flow struct increased to more than 1160 bytes, "
                "please check if this change is necessary.");
 #endif
 #endif
diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c
index c6132e429..176f4eeef 100644
--- a/src/lib/ndpi_analyze.c
+++ b/src/lib/ndpi_analyze.c
@@ -2141,3 +2141,42 @@ void ndpi_free_knn(ndpi_knn knn) { free_knn(knn, knn.n_samples); }
 
 void ndpi_free_btree(ndpi_btree *b) { free_tree((t_btree*)b); }
 
+/* ********************************************************************************* */
+
+/* It provides the Mahalanobis distance (https://en.wikipedia.org/wiki/Mahalanobis_distance)
+   between a point x and a distribution with mean u and inverted covariant matrix i_s.
+   Parameters:
+    x: input array (with dimension "size")
+    u: means array (with dimension "size")
+    i_s: inverted covariant matrix (with dimension "size" * "size")
+
+   Bottom line: distance = sqrt([x - u] * [i_s] * [x - u]^T)
+*/
+float ndpi_mahalanobis_distance(const u_int32_t *x, u_int32_t size, const float *u, const float *i_s)
+{
+  float md = 0;
+  float *diff; /* [x - u] */
+  float *tmp;  /* Result of [x - u] * [i_s] */
+  u_int32_t i, j;
+
+  /* Could we get rid of these allocations? */
+  diff = ndpi_calloc(sizeof(float), size);
+  tmp = ndpi_calloc(sizeof(float), size);
+  if(diff && tmp) {
+    for (i = 0; i < size; i++)
+      diff[i] = x[i] - u[i];
+
+    /* Naive implementation of matrix multiplication(s) */
+    for(i = 0; i < size; i++) {
+      for(j = 0; j < size; j++) {
+        tmp[i] += diff[j] * i_s[size * j + i];
+      }
+    }
+    for(i = 0; i < size; i++)
+      md += tmp[i] * diff[i];
+  }
+  ndpi_free(diff);
+  ndpi_free(tmp);
+
+  return sqrt(md);
+}
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b3b70de5a..e70fb87ec 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -198,7 +198,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_MALWARE_HOST_CONTACTED,                NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_BINARY_DATA_TRANSFER,                  NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_PROBING_ATTEMPT,                       NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
-  { NDPI_OBFUSCATED_TRAFFIC,                    NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE },
+  { NDPI_OBFUSCATED_TRAFFIC,                    NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY   }
@@ -6769,6 +6769,9 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
 
     if(flow->flow_payload != NULL)
       ndpi_free(flow->flow_payload);
+
+    if(flow->tls_quic.obfuscated_heur_state)
+      ndpi_free(flow->tls_quic.obfuscated_heur_state);
   }
 }
 
@@ -8320,6 +8323,7 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) {
     packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0,
     packet->http_response.ptr = NULL, packet->http_response.len = 0,
     packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0;
+    packet->upgrade_line.ptr = NULL, packet->upgrade_line.len = 0;
 }
 
 /* ********************************************************************************* */
@@ -9026,6 +9030,7 @@ static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_s
                                      { "Authorization:", &packet->authorization_line },
                                      { NULL, NULL} };
   struct header_line headers_u[] = { { "User-agent:", &packet->user_agent_line },
+                                     { "Upgrade:", &packet->upgrade_line },
                                      { NULL, NULL} };
   struct header_line headers_c[] = { { "Content-Disposition:", &packet->content_disposition_line },
                                      { "Content-type:", &packet->content_line },
@@ -11452,6 +11457,8 @@ static const struct cfg_param {
 
   { "tls",           "certificate_expiration_threshold",        "30", "0", "365", CFG_PARAM_INT, __OFF(tls_certificate_expire_in_x_days), NULL },
   { "tls",           "application_blocks_tracking",             "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled), NULL },
+  { "tls",           "dpi.heuristics",                          "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL },
+  { "tls",           "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL },
   { "tls",           "metadata.sha1_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL },
   { "tls",           "metadata.ja3c_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL },
   { "tls",           "metadata.ja3s_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL },
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index bf26467da..57f71e2fe 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -148,7 +148,19 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_
 #endif
 
   if(flow->extra_packets_func == NULL) {
-    return(0); /* We're good now */
+    /* HTTP stuff completed */
+
+    /* Loook for TLS over websocket */
+    if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP) && /* Feature enabled */
+       (flow->host_server_name[0] != '\0' &&
+        flow->http.response_status_code != 0) && /* Bidirectional HTTP traffic */
+       flow->http.websocket) {
+
+      switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow);
+      return(1);
+    }
+
+    return(0); /* We are good now */
   }
 
   /* Possibly more processing */
@@ -954,6 +966,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     }
   }
 
+  if(packet->upgrade_line.ptr != NULL) {
+    if(flow->http.response_status_code == 101 &&
+       memcmp((char *)packet->upgrade_line.ptr, "websocket", 9) == 0)
+      flow->http.websocket = 1;
+  }
+
   if(packet->server_line.ptr != NULL) {
     if(flow->http.server == NULL) {
       len = packet->server_line.len + 1;
@@ -1577,7 +1595,7 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
   ndpi_check_http_tcp(ndpi_struct, flow);
 
   if((ndpi_struct->cfg.http_parse_response_enabled &&
-      flow->host_server_name[0] != '\0'&&
+      flow->host_server_name[0] != '\0' &&
       flow->http.response_status_code != 0) ||
      (!ndpi_struct->cfg.http_parse_response_enabled &&
       (flow->host_server_name[0] != '\0' ||
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index b413cd262..c8f880d49 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -152,6 +152,305 @@ static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* **************************************** */
 
+/* Heuristic to detect proxied/obfuscated TLS flows, based on
+   https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting.
+   Main differences between the paper and our implementation:
+    * only Mahalanobis Distance, no Chi-squared Test
+    * instead of 3-grams, we use 4-grams, always starting from the Client -> Server direction
+    * consecutive packets in the same direction always belong to the same burst/flight
+
+   Core idea:
+    * the packets/bytes distribution of a TLS handshake is quite unique
+    * this fingerprint is still detectable if the handshake is
+      encrypted/proxied/obfuscated
+*/
+
+struct tls_obfuscated_heuristic_set {
+  u_int8_t stage;
+  u_int32_t bytes[4];
+  u_int32_t pkts[4];
+};
+
+struct tls_obfuscated_heuristic_state {
+  u_int8_t num_pkts;
+
+  /* Burst/flight: consecutive packets in the same direction.
+   * Set: packet/bytes distribution of 4 consecutive bursts (always starting from C->S),
+          i.e. a 4-grams (using the paper terminology)
+   * We have up tp 2 sets contemporarily active.
+   * At the first pkt of a new C->S flight, we close the oldest set and open a new one */
+  struct tls_obfuscated_heuristic_set sets[2];
+};
+
+static int check_set(struct ndpi_detection_module_struct* ndpi_struct,
+                     struct tls_obfuscated_heuristic_set *set)
+{
+#ifdef NDPI_ENABLE_DEBUG_MESSAGES
+  struct ndpi_packet_struct* packet = &ndpi_struct->packet;
+#endif
+
+  /* Model: TLS 1.2; Firefox; No session resumption/0rtt */
+  const float i_s_tls_12[4 * 4] = { 0.000292421113167604, 4.43677617831228E-07, -5.69966093492813E-05, -2.18124698406311E-06,
+                                    4.43677617831228E-07, 5.98954952745268E-07, -3.59798436724817E-07, 5.71638172955893E-07,
+                                    -5.69966093492813E-05, -3.59798436724817E-07, 0.00076893788148309, 2.22278496185964E-05,
+                                    -2.18124698406311E-06, 5.71638172955893E-07, 2.22278496185964E-05, 5.72770077086287E-05 };
+  const float average_tls_12[4] = { 212.883690341977, 4514.71195039459, 107.770762871101, 307.580232995115 };
+  const float distance_tls_12 = 3.5;
+
+  /* Model: TLS 1.3; Firefox; No session resumption/0rtt; no PQ; ECH(-grease) enabled */
+  const float i_s_tls_13[4 * 4] = { 3.08030337925007E-05, 1.16179172096944E-07, 1.05356744968627E-07, 3.8862884355278E-08,
+                                    1.16179172096944E-07, 6.93179117519316E-07, 2.77413220880937E-08, -3.63723200682445E-09,
+                                    1.05356744968627E-07, 2.77413220880937E-08, 1.0260950589675E-06, -1.08769813590053E-08,
+                                    3.88628843552779E-08, -3.63723200682445E-09, -1.08769813590053E-08,	8.63307792288604E-08 };
+  const float average_tls_13[4] = { 640.657378447541, 4649.30338356554, 448.408302530566, 1094.2013079329};
+  const float distance_tls_13 = 3.0;
+
+  /* Model: TLS 1.2/1.3; Chrome; No session resumption/0rtt; PQ; ECH(-grease) enabled */
+  const float i_s_chrome[4 * 4] = { 6.72374390966642E-06, -2.32109583941723E-08, 6.67140014394388E-08, 1.2526322628285E-08,
+                                    -2.32109583941723E-08, 5.64668947932086E-07, 4.58963631972597E-08, 6.41254684791958E-09,
+                                    6.67140014394388E-08, 4.58963631972597E-08, 6.04057768431344E-07, -9.1507432597718E-10,
+                                    1.2526322628285E-08, 6.41254684791958E-09, -9.1507432597718E-10, 1.01184796635481E-07 };
+  const float average_chrome[4] = { 1850.43045387994, 4903.07735480722, 785.25280624695, 1051.22303562714 };
+  const float distance_chrome = 3.0;
+
+  /* TODO: * ECH/PQ are still under development/deployment -> re-evaluate these models
+           * Session resumptions/0rtt
+	   * Non-web traffic */
+
+  /* This is the only logic about pkts distributions.
+     ClientHello shoudn't be splitted in too many fragments: usually 1; 2 with PQ */
+  if(set->pkts[0] > 3) {
+    NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: too many pkts in the first burst %d\n", set->pkts[0]);
+    return 0;
+  }
+
+  if(ndpi_mahalanobis_distance(set->bytes, 4, average_chrome, i_s_chrome) < distance_chrome ||
+     /* To avoid false positives: we didn't find TLS 1.3 CH smaller than 517 */
+     (set->bytes[0] >= 517 && ndpi_mahalanobis_distance(set->bytes, 4, average_tls_13, i_s_tls_13) < distance_tls_13) ||
+     ndpi_mahalanobis_distance(set->bytes, 4, average_tls_12, i_s_tls_12) < distance_tls_12) {
+
+    NDPI_LOG_DBG(ndpi_struct, "TLS-Obf-Heur: md %f %f %f [%d/%d/%d/%d %d/%d/%d/%d] TCP? %d\n",
+                 ndpi_mahalanobis_distance(set->bytes, 4, average_tls_12, i_s_tls_12),
+                 ndpi_mahalanobis_distance(set->bytes, 4, average_tls_13, i_s_tls_13),
+                 ndpi_mahalanobis_distance(set->bytes, 4, average_chrome, i_s_chrome),
+                 set->pkts[0], set->pkts[1], set->pkts[2], set->pkts[3],
+                 set->bytes[0], set->bytes[1], set->bytes[2], set->bytes[3],
+                 !!packet->tcp);
+    return 1;
+  }
+
+  return 0;
+}
+
+static int tls_obfuscated_heur_search(struct ndpi_detection_module_struct* ndpi_struct,
+                                      struct ndpi_flow_struct* flow) {
+  struct ndpi_packet_struct* packet = &ndpi_struct->packet;
+  struct tls_obfuscated_heuristic_state *state = flow->tls_quic.obfuscated_heur_state;
+  struct tls_obfuscated_heuristic_set *set;
+  int i, j;
+  int is_tls_in_tls_heur = 0;
+  int byte_overhead;
+
+  /* Stages:
+     0: Unused/Start
+     1: C->S : burst 1
+     2: S->C : burst 2
+     3: C->S : burst 3
+     4: S->C : burst 4
+     5: C->S : End
+  */
+
+  if(!state)
+    return 1; /* Exclude */
+
+  if(packet->payload_packet_len == 0)
+    return 0; /* Continue */
+
+  NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: num_pkts %d\n", state->num_pkts);
+
+  if(flow->extra_packets_func &&
+     (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS ||
+      flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS)) /* TLS-in-TLS heuristic */
+    is_tls_in_tls_heur = 1;
+
+  /* We try to keep into account the overhead (header/padding/mac/iv/nonce) of the
+     external layers (i.e. above the TLS hanshake we are trying to detect) */
+  if(is_tls_in_tls_heur == 1) {
+    /* According to https://datatracker.ietf.org/doc/html/draft-mattsson-uta-tls-overhead-01
+       the average packet overhead for TLS is 29 bytes.
+       TODO: this draft is OLD and about TLS 1.2
+       Looking at real traffic, we found that we can have TLS packets 24 bytes long
+    */
+    byte_overhead = 24;
+  } else {
+    /* The paper says that the overhead is usually quite small
+       ["typically ranging between 20 to 60 bytes"], without any citations.
+       From the tests, it seams that we can ignore it */
+    byte_overhead = 0;
+  }
+
+  if(packet->payload_packet_len < byte_overhead) {
+    NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: packet too small. Stop.\n");
+    return 1; /* Exclude */
+  }
+
+  if(is_tls_in_tls_heur == 1) {
+    /* We usually stop processing TLS handshake (and switch to this extra dissection
+       data path) after the FIRST Change-Cipher message. However, for this
+       heuristic, we need to ignore all packets before a Change-Cipher is sent in the
+       same direction */
+    if(current_pkt_from_client_to_server(ndpi_struct, flow) &&
+       flow->tls_quic.change_cipher_from_client == 0) {
+      if(packet->payload[0] == 0x14) {
+        NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: Change-Cipher from client\n");
+        flow->tls_quic.change_cipher_from_client = 1;
+      }
+      NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: skip\n");
+      return 0; /* Continue */
+    }
+    if(current_pkt_from_server_to_client(ndpi_struct, flow) &&
+       flow->tls_quic.change_cipher_from_server == 0) {
+      if(packet->payload[0] == 0x14) {
+        flow->tls_quic.change_cipher_from_server = 1;
+        NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: Change-Cipher from server\n");
+      }
+      NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: skip\n");
+      return 0; /* Continue */
+    }
+  }
+
+  if(state->num_pkts++ > ndpi_struct->cfg.tls_heuristics_max_packets) {
+    NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: too many pkts. Stop\n");
+    return 1; /* Exclude */
+  }
+
+  /* Update active sets */
+  for(i = 0; i < 2; i ++) {
+    set = &state->sets[i];
+    switch(set->stage) {
+    case 0:
+      /* This happen only at the beginning of the heuristic: after the first pkt
+         of the third (absolute) burst, we always have both sets used */
+      if(i == 0 || state->sets[0].stage == 3) {
+        if(current_pkt_from_client_to_server(ndpi_struct, flow)) {
+          NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: open set %d\n", i);
+          set->stage = 1;
+          break;
+	} else {
+          /* First packet should be always from client.
+	     This shortcut makes detection harder if, before the obfuscated TLS hanshake
+	     there is random traffic */
+          return 1; /* Exclude */
+	}
+      }
+      continue;
+    case 1:
+      if(current_pkt_from_server_to_client(ndpi_struct, flow))
+        set->stage = 2;
+      break;
+    case 2:
+      if(current_pkt_from_client_to_server(ndpi_struct, flow))
+        set->stage = 3;
+      break;
+    case 3:
+      if(current_pkt_from_server_to_client(ndpi_struct, flow))
+        set->stage = 4;
+      break;
+    case 4:
+      if(current_pkt_from_client_to_server(ndpi_struct, flow))
+        set->stage = 5;
+      break;
+    /* We cant have 5 here */
+    }
+
+    if(set->stage != 5) {
+      set->bytes[set->stage - 1] += (packet->payload_packet_len - byte_overhead);
+      set->pkts[set->stage - 1] += 1;
+    }
+
+    NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d stage %d bytes %d/%d/%d/%d pkts %d/%d/%d/%d\n",
+                  i, set->stage,
+                  set->bytes[0], set->bytes[1], set->bytes[2], set->bytes[3],
+                  set->pkts[0], set->pkts[1], set->pkts[2], set->pkts[3]);
+
+    /* Check completed set */
+    if(set->stage == 5) {
+      NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d completed\n", i);
+      if(check_set(ndpi_struct, set)) {
+        /* Heuristic match */
+        return 2; /* Found */
+      } else {
+        /* Close this set and open a new one... */
+        set->stage = 1;
+        set->bytes[0] = packet->payload_packet_len - byte_overhead;
+        set->pkts[0] = 1;
+	for(j = 1; j < 4; j++) {
+          set->bytes[j] = 0;
+          set->pkts[j] = 0;
+        }
+        NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: set %d closed and reused\n", i);
+      }
+    }
+  }
+
+  return 0; /* Continue */
+}
+
+static int tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct* ndpi_struct,
+                                            struct ndpi_flow_struct* flow)
+{
+  int rc;
+
+  NDPI_LOG_DBG2(ndpi_struct, "TLS-Obf-Heur: extra dissection\n");
+
+  rc = tls_obfuscated_heur_search(ndpi_struct, flow);
+  if(rc == 0)
+    return 1; /* Keep working */
+  if(rc == 2) {
+    NDPI_LOG_DBG(ndpi_struct, "TLS-Obf-Heur: found!\n");
+
+    /* Right now, if an heuritic matches, we set the classification/risk.
+       TODO: avoid false positives!
+       Some ideas:
+        * try to identify the servers: we wait for multiple sessions to the same server,
+          before to start marking the flows to that address
+        * consider the number of burst after TLS handshake (see Fig 8 paper) */
+
+    if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_AGGRESSIVE);
+      ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS traffic");
+    } else {
+      flow->confidence = NDPI_CONFIDENCE_DPI_AGGRESSIVE; /* Update the value */
+      if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS ||
+         flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS)
+        ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-TLS traffic");
+      else
+        ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-HTTP-WebSocket traffic");
+    }
+
+    ndpi_protocol ret = { { __get_master(ndpi_struct, flow), NDPI_PROTOCOL_UNKNOWN }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL};
+    flow->category = ndpi_get_proto_category(ndpi_struct, ret);
+  }
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow); /* Not necessary in extra-dissection data path,
+                                            but we need it with the plain heuristic */
+  return 0; /* Stop */
+}
+
+void switch_extra_dissection_to_tls_obfuscated_heur(struct ndpi_detection_module_struct* ndpi_struct,
+                                                    struct ndpi_flow_struct* flow)
+{
+  NDPI_LOG_DBG(ndpi_struct, "Switching to TLS Obfuscated heuristic\n");
+
+  flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state));
+
+  /* "* 2" to take into account ACKs. The "real" check is performend against
+     "tls_heuristics_max_packets" in tls_obfuscated_heur_search, as expected */
+  flow->max_extra_packets_to_check = ndpi_struct->cfg.tls_heuristics_max_packets * 2;
+  flow->extra_packets_func = tls_obfuscated_heur_search_again;
+}
+
+/* **************************************** */
+
 static int ndpi_search_tls_memory(const u_int8_t *payload,
 				  u_int16_t payload_len,
 				  u_int32_t seq,
@@ -1018,7 +1317,6 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
      https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 */
   if(!(message->buffer[0] >= 20 &&
        message->buffer[0] <= 26)) {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     something_went_wrong = 1;
   }
 
@@ -1072,6 +1370,11 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
         printf("[TLS] Change Cipher Spec\n");
 #endif
+        if(current_pkt_from_client_to_server(ndpi_struct, flow))
+          flow->tls_quic.change_cipher_from_client = 1;
+        else
+          flow->tls_quic.change_cipher_from_server = 1;
+
         ndpi_int_tls_add_connection(ndpi_struct, flow);
         flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1;
         /* Further data is encrypted so we are not able to parse it without
@@ -1215,6 +1518,16 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
       ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
       flow->extra_packets_func = NULL;
       return(0); /* That's all */
+    /* Loook for TLS-in-TLS */
+    } else if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_TLS) && /* Feature enabled */
+              (!something_went_wrong &&
+               flow->tls_quic.certificate_processed == 1 &&
+               flow->protos.tls_quic.client_hello_processed == 1 &&
+               flow->protos.tls_quic.server_hello_processed == 1) && /* TLS handshake found without errors */
+               flow->tls_quic.from_opportunistic_tls == 0 && /* No from plaintext Mails or FTP */
+              !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) {
+      switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow);
+      return(1);
     } else {
       flow->extra_packets_func = NULL;
       return(0); /* That's all */
@@ -1410,7 +1723,6 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
   packet->payload_packet_len = p_len; /* Restore */
 
   if(no_dtls || change_cipher_found || flow->tls_quic.certificate_processed) {
-    NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_DTLS);
     return(0); /* That's all */
   } else {
     return(1); /* Keep working */
@@ -1446,6 +1758,8 @@ void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_st
     ndpi_free(flow->tls_quic.message[1].buffer);
   memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1]));
 
+  flow->tls_quic.from_opportunistic_tls = 1;
+
   tlsInitExtraPacketProcessing(ndpi_struct, flow);
 }
 
@@ -1466,6 +1780,14 @@ void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
     if(flow->tls_quic.message[1].buffer)
       ndpi_free(flow->tls_quic.message[1].buffer);
     memset(&flow->tls_quic.message[1], '\0', sizeof(flow->tls_quic.message[1]));
+
+    /* We will not check obfuscated heuristic (anymore) because we have been
+       called from the STUN code, but we need to clear the previous state
+       (if any) to trigger "standard" TLS/DTLS code */
+    if(flow->tls_quic.obfuscated_heur_state) {
+      ndpi_free(flow->tls_quic.obfuscated_heur_state);
+      flow->tls_quic.obfuscated_heur_state = NULL;
+    }
   }
 
   ndpi_search_tls_wrapper(ndpi_struct, flow);
@@ -3031,6 +3353,7 @@ compute_ja3c:
 static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  int rc = 0;
 
 #ifdef DEBUG_TLS
   printf("==>> %s() %u [len: %u][version: %u]\n",
@@ -3040,10 +3363,44 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st
 	 flow->protos.tls_quic.ssl_version);
 #endif
 
-  if(packet->udp != NULL || flow->stun.maybe_dtls)
-    ndpi_search_tls_udp(ndpi_struct, flow);
-  else
-    ndpi_search_tls_tcp(ndpi_struct, flow);
+  /* It is not easy to handle "standard" TLS/DTLS detection and (plain) obfuscated
+     heuristic at the SAME time. Use a trivial logic: switch to heuristic
+     code only if the standard functions fail */
+
+  /* We might be in extra-dissection data-path here (if we have been
+     called from STUN or from Mails/FTP/...), but plain obfuscated heuristic
+     is always checked in "standard" data-path! */
+
+  if(flow->tls_quic.obfuscated_heur_state == NULL) {
+    if(packet->udp != NULL || flow->stun.maybe_dtls)
+      rc = ndpi_search_tls_udp(ndpi_struct, flow);
+    else
+      rc = ndpi_search_tls_tcp(ndpi_struct, flow);
+
+    if(rc == 0)
+      flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state));
+  }
+
+  /* We should check for this TLS heuristic if:
+     * the feature is enabled
+     * this flow doesn't seem a real TLS/DTLS one
+     * we are not here from STUN code or from opportunistic tls path (mails/ftp)
+     * with TCP, we got the 3WHS (so that we can process the beginning of the flow)
+  */
+  if(flow->tls_quic.obfuscated_heur_state &&
+     (ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN) &&
+     flow->stun.maybe_dtls == 0 &&
+     flow->tls_quic.from_opportunistic_tls == 0 &&
+     ((flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow)) ||
+      flow->l4_proto == IPPROTO_UDP) &&
+     !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) {
+    tls_obfuscated_heur_search_again(ndpi_struct, flow);
+  } else if(rc == 0) {
+    if(packet->udp != NULL || flow->stun.maybe_dtls)
+      NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_DTLS);
+    else
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  }
 }
 
 /* **************************************** */
diff --git a/tests/cfgs/default/pcap/tls_heur__shadowsocks-tcp.pcapng b/tests/cfgs/default/pcap/tls_heur__shadowsocks-tcp.pcapng
new file mode 100644
index 000000000..25a368f3c
--- /dev/null
+++ b/tests/cfgs/default/pcap/tls_heur__shadowsocks-tcp.pcapng
diff --git a/tests/cfgs/default/pcap/tls_heur__trojan-tcp-tls.pcapng b/tests/cfgs/default/pcap/tls_heur__trojan-tcp-tls.pcapng
new file mode 100644
index 000000000..48ea47579
--- /dev/null
+++ b/tests/cfgs/default/pcap/tls_heur__trojan-tcp-tls.pcapng
diff --git a/tests/cfgs/default/pcap/tls_heur__vmess-tcp-tls.pcapng b/tests/cfgs/default/pcap/tls_heur__vmess-tcp-tls.pcapng
new file mode 100644
index 000000000..36fa9b1c7
--- /dev/null
+++ b/tests/cfgs/default/pcap/tls_heur__vmess-tcp-tls.pcapng
diff --git a/tests/cfgs/default/pcap/tls_heur__vmess-tcp.pcapng b/tests/cfgs/default/pcap/tls_heur__vmess-tcp.pcapng
new file mode 100644
index 000000000..1a5c7d0c5
--- /dev/null
+++ b/tests/cfgs/default/pcap/tls_heur__vmess-tcp.pcapng
diff --git a/tests/cfgs/default/pcap/tls_heur__vmess-websocket.pcapng b/tests/cfgs/default/pcap/tls_heur__vmess-websocket.pcapng
new file mode 100644
index 000000000..03ae5a605
--- /dev/null
+++ b/tests/cfgs/default/pcap/tls_heur__vmess-websocket.pcapng
diff --git a/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out
new file mode 100644
index 000000000..d6f43f7b6
--- /dev/null
+++ b/tests/cfgs/default/result/tls_heur__shadowsocks-tcp.pcapng.out
@@ -0,0 +1,44 @@
+DPI Packets (TCP):	34	(11.33 pkts/flow)
+DPI Packets (UDP):	3	(3.00 pkts/flow)
+Confidence Unknown          : 1 (flows)
+Confidence DPI              : 3 (flows)
+Num dissector calls: 413 (103.25 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/1/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/3/0 (insert/search/found)
+Automa host:          4/4 (search/found)
+Automa domain:        4/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   1/0 (search/found)
+Patricia protocols:   6/0 (search/found)
+Patricia protocols IPv6: 1/1 (search/found)
+
+Unknown	25	22923	1
+YouTube	45	36920	2
+SOCKS	30	21330	1
+
+Acceptable                      30 21330         1            
+Fun                             45 36920         2            
+Unrated                         25 22923         1            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 2001:b07:a3d:c112:8628:88aa:8b00:913c 	 1      
+
+
+	1	TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:45334 <-> [2a00:1450:4002:416::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 6][cat: Media/1][20 pkts/2589 bytes <-> 21 pkts/33559 bytes][Goodput ratio: 32/94][0.12 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.857 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/6 46/49 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 129/1598 605/6128 124/1604][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 9,0,0,0,0,0,4,0,4,0,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,0,0,0,0,0,13]
+	2	TCP 127.0.0.1:44424 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][18 pkts/2079 bytes <-> 12 pkts/19251 bytes][Goodput ratio: 41/96][0.15 sec][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/50 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 116/1604 585/9955 117/2915][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,24,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,11]
+	3	UDP 127.0.0.1:41182 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	TCP 127.0.0.1:40164 <-> 127.0.0.1:1234 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 22][14 pkts/2036 bytes <-> 11 pkts/20887 bytes][Goodput ratio: 53/96][0.17 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/21 52/52 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 145/1899 704/7496 163/2354][Risk: ** Fully Encrypted Flow **][Risk Score: 50][PLAIN TEXT (GYrp0@)][Plen Bins: 0,0,15,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,7,0,0,0,0,0,0,0,23]
diff --git a/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out
new file mode 100644
index 000000000..fc61e30a9
--- /dev/null
+++ b/tests/cfgs/default/result/tls_heur__trojan-tcp-tls.pcapng.out
@@ -0,0 +1,48 @@
+DPI Packets (TCP):	18	(6.00 pkts/flow)
+DPI Packets (UDP):	15	(2.14 pkts/flow)
+Confidence DPI              : 10 (flows)
+Num dissector calls: 167 (16.70 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    3/3/1 (insert/search/found)
+Automa host:          17/8 (search/found)
+Automa domain:        17/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     7/0 (search/found)
+Automa common alpns:  4/4 (search/found)
+Patricia risk mask:   14/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   19/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DNS	8	680	4
+TLS	25	11617	1
+YouTube	40	17498	4
+SOCKS	27	9979	1
+
+Safe                            25 11617         1            
+Acceptable                      35 10659         5            
+Fun                             40 17498         4            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 127.0.0.1                	 1      
+	2	 192.168.1.183            	 1      
+
+
+	1	TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0]
+	2	TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13]
+	3	TCP 127.0.0.1:60654 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 10 pkts/7980 bytes][Goodput ratio: 42/91][0.19 sec][bytes ratio: -0.599 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/43 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/798 585/4164 119/1276][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
+	4	UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.1.183:54260 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/344 bytes][Goodput ratio: 49/87][0.03 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:411::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	UDP 127.0.0.1:53154 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.1.183:39434 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 127.0.0.1:56496 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 192.168.1.183:38613 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out
new file mode 100644
index 000000000..43fc12589
--- /dev/null
+++ b/tests/cfgs/default/result/tls_heur__vmess-tcp-tls.pcapng.out
@@ -0,0 +1,48 @@
+DPI Packets (TCP):	18	(6.00 pkts/flow)
+DPI Packets (UDP):	15	(2.14 pkts/flow)
+Confidence DPI              : 10 (flows)
+Num dissector calls: 167 (16.70 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    3/3/1 (insert/search/found)
+Automa host:          17/8 (search/found)
+Automa domain:        17/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     7/0 (search/found)
+Automa common alpns:  4/4 (search/found)
+Patricia risk mask:   14/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   19/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DNS	8	680	4
+TLS	30	14152	1
+YouTube	34	22317	4
+SOCKS	28	10046	1
+
+Safe                            30 14152         1            
+Acceptable                      36 10726         5            
+Fun                             34 22317         4            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 127.0.0.1                	 1      
+	2	 192.168.1.183            	 1      
+
+
+	1	TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6]
+	2	TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19]
+	3	TCP 127.0.0.1:40136 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 11 pkts/8047 bytes][Goodput ratio: 42/91][0.14 sec][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/1 40/4 14/2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/732 585/2612 119/967][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18]
+	4	UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.1.183:41933 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/237 bytes][Goodput ratio: 49/81][0.00 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:410::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	UDP 127.0.0.1:45262 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.1.183:42485 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 127.0.0.1:50125 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 192.168.1.183:58009 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out
new file mode 100644
index 000000000..6f3f08650
--- /dev/null
+++ b/tests/cfgs/default/result/tls_heur__vmess-tcp.pcapng.out
@@ -0,0 +1,44 @@
+DPI Packets (TCP):	38	(12.67 pkts/flow)
+DPI Packets (UDP):	3	(3.00 pkts/flow)
+Confidence Unknown          : 1 (flows)
+Confidence DPI              : 3 (flows)
+Num dissector calls: 416 (104.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/1/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/3/0 (insert/search/found)
+Automa host:          4/4 (search/found)
+Automa domain:        4/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   1/0 (search/found)
+Patricia protocols:   6/0 (search/found)
+Patricia protocols IPv6: 1/1 (search/found)
+
+Unknown	29	22543	1
+YouTube	41	25855	2
+SOCKS	30	21345	1
+
+Acceptable                      30 21345         1            
+Fun                             41 25855         2            
+Unrated                         29 22543         1            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 2001:b07:a3d:c112:8628:88aa:8b00:913c 	 1      
+
+
+	1	TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:48302 <-> [2a00:1450:4006:80d::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][19 pkts/2517 bytes <-> 18 pkts/22438 bytes][Goodput ratio: 33/93][2.20 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/10 1024/77 344/20][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 132/1247 605/2504 117/854][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 10,5,5,0,5,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,5,0,0,0,0,0,0,0,25]
+	2	TCP 127.0.0.1:37218 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1875 bytes <-> 15 pkts/19470 bytes][Goodput ratio: 45/95][2.27 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/178 2080/2039 572/561][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 125/1298 585/7183 125/2425][PLAIN TEXT (www.youtube.com)][Plen Bins: 34,26,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20]
+	3	UDP 127.0.0.1:35957 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/724 bytes][Goodput ratio: 50/88][0.00 sec][Hostname/SNI: www.youtube.com][172.217.18.46][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	TCP 127.0.0.1:40818 <-> 127.0.0.1:1234 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][13 pkts/2126 bytes <-> 16 pkts/20417 bytes][Goodput ratio: 58/95][2.27 sec][bytes ratio: -0.811 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/171 2079/2079 619/551][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 164/1276 749/4794 178/1603][Risk: ** Fully Encrypted Flow **][Risk Score: 50][PLAIN TEXT (Zy61zL)][Plen Bins: 0,0,6,20,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,33]
diff --git a/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out
new file mode 100644
index 000000000..8ca0321df
--- /dev/null
+++ b/tests/cfgs/default/result/tls_heur__vmess-websocket.pcapng.out
@@ -0,0 +1,39 @@
+DPI Packets (TCP):	18	(6.00 pkts/flow)
+DPI Packets (UDP):	2	(2.00 pkts/flow)
+Confidence DPI              : 4 (flows)
+Num dissector calls: 173 (43.25 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/3/1 (insert/search/found)
+Automa host:          4/3 (search/found)
+Automa domain:        4/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   7/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+HTTP	35	22912	1
+YouTube	32	24681	2
+SOCKS	33	21475	1
+
+Acceptable                      68 44387         2            
+Fun                             32 24681         2            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.183            	 1      
+
+
+	1	TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5]
+	2	TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 60][Risk Info: Found host 127.0.0.1][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45]
+	3	TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26]
+	4	UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/tls_heuristics_enabled/config.txt b/tests/cfgs/tls_heuristics_enabled/config.txt
new file mode 100644
index 000000000..0fece59c0
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/config.txt
@@ -0,0 +1 @@
+--cfg=tls,dpi.heuristics,0x07 --cfg=tls,dpi.heuristics.max_packets_extra_dissection,25
diff --git a/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__shadowsocks-tcp.pcapng b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__shadowsocks-tcp.pcapng
new file mode 120000
index 000000000..2a9fd12c9
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__shadowsocks-tcp.pcapng
@@ -0,0 +1 @@
+../../default/pcap/tls_heur__shadowsocks-tcp.pcapng
\ No newline at end of file
diff --git a/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__trojan-tcp-tls.pcapng b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__trojan-tcp-tls.pcapng
new file mode 120000
index 000000000..6efb15e61
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__trojan-tcp-tls.pcapng
@@ -0,0 +1 @@
+../../default/pcap/tls_heur__trojan-tcp-tls.pcapng
\ No newline at end of file
diff --git a/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-tcp-tls.pcapng b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-tcp-tls.pcapng
new file mode 120000
index 000000000..76794d1dc
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-tcp-tls.pcapng
@@ -0,0 +1 @@
+../../default/pcap/tls_heur__vmess-tcp-tls.pcapng
\ No newline at end of file
diff --git a/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-tcp.pcapng b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-tcp.pcapng
new file mode 120000
index 000000000..654a15690
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-tcp.pcapng
@@ -0,0 +1 @@
+../../default/pcap/tls_heur__vmess-tcp.pcapng
\ No newline at end of file
diff --git a/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-websocket.pcapng b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-websocket.pcapng
new file mode 120000
index 000000000..a03d1e92e
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/pcap/tls_heur__vmess-websocket.pcapng
@@ -0,0 +1 @@
+../../default/pcap/tls_heur__vmess-websocket.pcapng
\ No newline at end of file
diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out
new file mode 100644
index 000000000..4742eea68
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__shadowsocks-tcp.pcapng.out
@@ -0,0 +1,41 @@
+DPI Packets (TCP):	27	(9.00 pkts/flow)
+DPI Packets (UDP):	3	(3.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+Confidence DPI (aggressive) : 1 (flows)
+Num dissector calls: 408 (102.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/3/0 (insert/search/found)
+Automa host:          4/4 (search/found)
+Automa domain:        4/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   1/0 (search/found)
+Patricia protocols:   6/0 (search/found)
+Patricia protocols IPv6: 1/1 (search/found)
+
+TLS	25	22923	1
+YouTube	45	36920	2
+SOCKS	30	21330	1
+
+Safe                            25 22923         1            
+Acceptable                      30 21330         1            
+Fun                             45 36920         2            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 2001:b07:a3d:c112:8628:88aa:8b00:913c 	 1      
+
+
+	1	TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:45334 <-> [2a00:1450:4002:416::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 6][cat: Media/1][20 pkts/2589 bytes <-> 21 pkts/33559 bytes][Goodput ratio: 32/94][0.12 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.857 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/6 46/49 14/13][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 129/1598 605/6128 124/1604][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 9,0,0,0,0,0,4,0,4,0,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,56,0,0,0,0,0,0,0,0,0,13]
+	2	TCP 127.0.0.1:40164 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 15][cat: Web/5][14 pkts/2036 bytes <-> 11 pkts/20887 bytes][Goodput ratio: 53/96][0.17 sec][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/21 52/52 19/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 145/1899 704/7496 163/2354][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic][Plen Bins: 0,0,15,7,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,7,0,0,0,0,0,0,0,23]
+	3	TCP 127.0.0.1:44424 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][18 pkts/2079 bytes <-> 12 pkts/19251 bytes][Goodput ratio: 41/96][0.15 sec][bytes ratio: -0.805 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/50 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 116/1604 585/9955 117/2915][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,24,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,11]
+	4	UDP 127.0.0.1:41182 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out
new file mode 100644
index 000000000..689acf8ab
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__trojan-tcp-tls.pcapng.out
@@ -0,0 +1,49 @@
+DPI Packets (TCP):	35	(11.67 pkts/flow)
+DPI Packets (UDP):	15	(2.14 pkts/flow)
+Confidence DPI              : 9 (flows)
+Confidence DPI (aggressive) : 1 (flows)
+Num dissector calls: 167 (16.70 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    3/3/1 (insert/search/found)
+Automa host:          17/8 (search/found)
+Automa domain:        17/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     7/0 (search/found)
+Automa common alpns:  4/4 (search/found)
+Patricia risk mask:   14/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   19/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DNS	8	680	4
+TLS	25	11617	1
+YouTube	40	17498	4
+SOCKS	27	9979	1
+
+Safe                            25 11617         1            
+Acceptable                      35 10659         5            
+Fun                             40 17498         4            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 127.0.0.1                	 1      
+	2	 192.168.1.183            	 1      
+
+
+	1	TCP 192.168.1.183:58730 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][17 pkts/1985 bytes <-> 15 pkts/13936 bytes][Goodput ratio: 41/93][0.11 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/9 31/70 9/20][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 117/929 585/1468 126/632][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,51,0,0,0,0]
+	2	TCP 127.0.0.1:41796 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 23][cat: Web/5][13 pkts/2233 bytes <-> 12 pkts/9384 bytes][Goodput ratio: 60/91][0.14 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.616 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/6 46/30 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 172/782 675/2138 165/744][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,13,13,6,6,0,0,0,6,0,0,0,0,0,6,0,0,0,6,0,6,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,13]
+	3	TCP 127.0.0.1:60654 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 10 pkts/7980 bytes][Goodput ratio: 42/91][0.19 sec][bytes ratio: -0.599 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/7 46/43 16/15][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/798 585/4164 119/1276][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,6,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12]
+	4	UDP 127.0.0.1:52786 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/468 bytes][Goodput ratio: 50/81][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.1.183:46451 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/413 bytes][Goodput ratio: 49/89][0.03 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.1.183:54260 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/344 bytes][Goodput ratio: 49/87][0.03 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:411::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	UDP 127.0.0.1:53154 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.1.183:39434 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 127.0.0.1:56496 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 192.168.1.183:38613 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out
new file mode 100644
index 000000000..bbf0c5bd0
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp-tls.pcapng.out
@@ -0,0 +1,49 @@
+DPI Packets (TCP):	36	(12.00 pkts/flow)
+DPI Packets (UDP):	15	(2.14 pkts/flow)
+Confidence DPI              : 9 (flows)
+Confidence DPI (aggressive) : 1 (flows)
+Num dissector calls: 167 (16.70 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    3/3/1 (insert/search/found)
+Automa host:          17/8 (search/found)
+Automa domain:        17/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     7/0 (search/found)
+Automa common alpns:  4/4 (search/found)
+Patricia risk mask:   14/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   19/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DNS	8	680	4
+TLS	30	14152	1
+YouTube	34	22317	4
+SOCKS	28	10046	1
+
+Safe                            30 14152         1            
+Acceptable                      36 10726         5            
+Fun                             34 22317         4            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 127.0.0.1                	 1      
+	2	 192.168.1.183            	 1      
+
+
+	1	TCP 192.168.1.183:58612 <-> 216.58.204.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 15 pkts/19414 bytes][Goodput ratio: 52/95][0.10 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.850 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/8 74/66 24/18][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1294 585/6668 151/1565][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 12,6,6,0,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,44,0,0,0,6]
+	2	TCP 127.0.0.1:57874 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 24][cat: Web/5][16 pkts/2501 bytes <-> 14 pkts/11651 bytes][Goodput ratio: 56/92][0.16 sec][Hostname/SNI: test.lan][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.647 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/12 40/74 14/22][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 156/832 731/2138 166/797][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS-in-TLS traffic][TLSv1.3][JA3C: 7a15285d4efc355608b304698cd7f9ab][JA4: t13d1911h2_9dc949149365_e7c285222651][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 5,12,12,5,5,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,19]
+	3	TCP 127.0.0.1:40136 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][17 pkts/1999 bytes <-> 11 pkts/8047 bytes][Goodput ratio: 42/91][0.14 sec][bytes ratio: -0.602 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/1 40/4 14/2][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 118/732 585/2612 119/967][PLAIN TEXT (www.youtube.com)][Plen Bins: 37,25,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18]
+	4	UDP 127.0.0.1:46548 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/484 bytes][Goodput ratio: 50/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.1.183:49817 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/253 bytes][Goodput ratio: 49/82][0.00 sec][Hostname/SNI: www.youtube.com][216.58.204.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.1.183:41933 <-> 192.168.1.253:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/88 bytes <-> 1 pkts/237 bytes][Goodput ratio: 49/81][0.00 sec][Hostname/SNI: www.youtube.com][2a00:1450:4002:410::200e][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	UDP 127.0.0.1:45262 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.1.183:42485 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.00 sec][Hostname/SNI: test.lan][127.0.0.1][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 127.0.0.1:50125 <-> 127.0.0.53:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][0.00 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 192.168.1.183:58009 <-> 192.168.1.253:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/81 bytes][Goodput ratio: 45/45][< 1 sec][Hostname/SNI: test.lan][::][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out
new file mode 100644
index 000000000..36c68d4c4
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-tcp.pcapng.out
@@ -0,0 +1,41 @@
+DPI Packets (TCP):	35	(11.67 pkts/flow)
+DPI Packets (UDP):	3	(3.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+Confidence DPI (aggressive) : 1 (flows)
+Num dissector calls: 421 (105.25 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/3/0 (insert/search/found)
+Automa host:          4/4 (search/found)
+Automa domain:        4/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   1/0 (search/found)
+Patricia protocols:   6/0 (search/found)
+Patricia protocols IPv6: 1/1 (search/found)
+
+TLS	29	22543	1
+YouTube	41	25855	2
+SOCKS	30	21345	1
+
+Safe                            29 22543         1            
+Acceptable                      30 21345         1            
+Fun                             41 25855         2            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 2001:b07:a3d:c112:8628:88aa:8b00:913c 	 1      
+
+
+	1	TCP [2001:b07:a3d:c112:8628:88aa:8b00:913c]:48302 <-> [2a00:1450:4006:80d::200e]:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 126/Google, Confidence: IP address][DPI packets: 8][cat: Media/1][19 pkts/2517 bytes <-> 18 pkts/22438 bytes][Goodput ratio: 33/93][2.20 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.798 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 146/10 1024/77 344/20][Pkt Len c2s/s2c min/avg/max/stddev: 88/88 132/1247 605/2504 117/854][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 10,5,5,0,5,0,0,5,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,30,0,5,0,0,0,0,0,0,0,25]
+	2	TCP 127.0.0.1:40818 <-> 127.0.0.1:1234 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 21][cat: Web/5][13 pkts/2126 bytes <-> 16 pkts/20417 bytes][Goodput ratio: 58/95][2.27 sec][bytes ratio: -0.811 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 225/171 2079/2079 619/551][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 164/1276 749/4794 178/1603][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic][Plen Bins: 0,0,6,20,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,34]
+	3	TCP 127.0.0.1:37218 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][15 pkts/1875 bytes <-> 15 pkts/19470 bytes][Goodput ratio: 45/95][2.27 sec][bytes ratio: -0.824 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/178 2080/2039 572/561][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 125/1298 585/7183 125/2425][PLAIN TEXT (www.youtube.com)][Plen Bins: 34,26,6,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20]
+	4	UDP 127.0.0.1:35957 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/724 bytes][Goodput ratio: 50/88][0.00 sec][Hostname/SNI: www.youtube.com][172.217.18.46][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out
new file mode 100644
index 000000000..e93257b15
--- /dev/null
+++ b/tests/cfgs/tls_heuristics_enabled/result/tls_heur__vmess-websocket.pcapng.out
@@ -0,0 +1,40 @@
+DPI Packets (TCP):	31	(10.33 pkts/flow)
+DPI Packets (UDP):	2	(2.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+Confidence DPI (aggressive) : 1 (flows)
+Num dissector calls: 173 (43.25 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    1/3/1 (insert/search/found)
+Automa host:          4/3 (search/found)
+Automa domain:        4/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  2/2 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   7/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+HTTP	35	22912	1
+YouTube	32	24681	2
+SOCKS	33	21475	1
+
+Acceptable                      68 44387         2            
+Fun                             32 24681         2            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.183            	 1      
+
+
+	1	TCP 192.168.1.183:51390 <-> 142.250.180.142:443 [proto: 91.124/TLS.YouTube][IP: 126/Google][Encrypted][Confidence: DPI][FPC: 124/YouTube, Confidence: DNS][DPI packets: 6][cat: Media/1][11 pkts/1577 bytes <-> 17 pkts/22332 bytes][Goodput ratio: 52/95][0.14 sec][Hostname/SNI: www.youtube.com][(Advertised) ALPNs: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 16/9 81/74 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 143/1314 585/6668 160/1472][TLSv1.3][JA3C: 4ea056e63b7910cbf543f0c095064dfe][JA4: t13d3113h2_e8f1e7e78f70_ce5650b735ce][JA3S: 907bf3ecef1c987c889946b737b43de8][Firefox][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 18,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,55,0,0,0,5]
+	2	TCP 127.0.0.1:33702 <-> 127.0.0.1:1234 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 19][cat: Web/5][19 pkts/2630 bytes <-> 16 pkts/20282 bytes][Goodput ratio: 51/95][0.17 sec][Hostname/SNI: 127.0.0.1][bytes ratio: -0.770 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 52/76 16/21][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 138/1268 767/2120 172/862][URL: 127.0.0.1:1234/][StatusCode: 101][User-Agent: Go-http-client/1.1][Risk: ** Known Proto on Non Std Port **** HTTP/TLS/QUIC Numeric Hostname/SNI **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Found host 127.0.0.1 / Obfuscated TLS-in-HTTP-WebSocket traffic][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,11,0,5,5,0,0,0,0,0,5,0,0,5,0,0,0,0,0,5,11,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,45]
+	3	TCP 127.0.0.1:44532 <-> 127.0.0.1:1080 [proto: 172/SOCKS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Web/5][20 pkts/2203 bytes <-> 13 pkts/19272 bytes][Goodput ratio: 38/95][0.17 sec][bytes ratio: -0.795 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/10 44/82 16/26][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 110/1482 585/4000 112/1624][PLAIN TEXT (www.youtube.com)][Plen Bins: 31,21,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26]
+	4	UDP 127.0.0.1:39646 <-> 127.0.0.53:53 [proto: 5.124/DNS.YouTube][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.124/DNS.YouTube, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/176 bytes <-> 2 pkts/596 bytes][Goodput ratio: 50/85][0.00 sec][Hostname/SNI: www.youtube.com][142.250.180.142][PLAIN TEXT (youtube)][Plen Bins: 0,50,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]