A final(?) effort to reduce memory usage per flow (#1389)

Remove some unused fields and re-organize other ones.
In particular:
* Update the parameters of `ndpi_ssl_version2str()` function
* Zattoo, Thunder: these timestamps aren't really used.
* Ftp/mail: these protocols are dissected only over TCP.
* Attention must be paid to TLS.Bittorrent flows to avoid invalid
read/write to `flow->protos.bittorrent.hash` field.

This is the last(?) commit of a long series (see 22241a1d, 227e586e,
730c2360, a8ffcd8b) aiming to reduce library memory consumption.

Before, at nDPI 4.0 (more precisly, at a6b10cf7, because memory stats
were wrong until that commit):
```
nDPI Memory statistics:
	nDPI Memory (once):      221.15 KB
	Flow Memory (per flow):  2.94 KB
```
Now:
```
nDPI Memory statistics:
	nDPI Memory (once):      231.71 KB
	Flow Memory (per flow):  1008 B       <---------
```
i.e. memory usage per flow has been reduced by 66%, dropping below the
psychological threshold of 1 KB.

To further reduce this value, we probably need to look into #1279:
let's fight this battle another day.

8 files changed, 65 insertions, 108 deletions

diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
index 2b6f1396f..81e475041 100644
--- a/src/lib/protocols/ftp_control.c
+++ b/src/lib/protocols/ftp_control.c
@@ -50,23 +50,23 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n
 #endif
 
   if(ndpi_match_strprefix(payload, payload_len, "USER")) {
-    ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.username,
-			       sizeof(flow->ftp_imap_pop_smtp.username), 5,
+    ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.username,
+			       sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 5,
 			       payload, payload_len);
     ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
     return 1;
   }
 
   if(ndpi_match_strprefix(payload, payload_len, "PASS")) {
-    ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.password,
-			       sizeof(flow->ftp_imap_pop_smtp.password), 5,
+    ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.password,
+			       sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5,
 			       payload, payload_len);
     return 1;
   }
 
   if(ndpi_match_strprefix(payload, payload_len, "AUTH") ||
      ndpi_match_strprefix(payload, payload_len, "auth")) {
-    flow->ftp_imap_pop_smtp.auth_found = 1;
+    flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 1;
     return 1;
   }
   /* ***************************************************** */
@@ -562,14 +562,14 @@ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow,
   case '2':
   case '3':
   case '6':
-    if(flow->ftp_imap_pop_smtp.auth_found == 1)
-      flow->ftp_imap_pop_smtp.auth_tls = 1;
+    if(flow->l4.tcp.ftp_imap_pop_smtp.auth_found == 1)
+      flow->l4.tcp.ftp_imap_pop_smtp.auth_tls = 1;
     return(1);
     break;
 
   case '4':
   case '5':
-    flow->ftp_imap_pop_smtp.auth_failed = 1;
+    flow->l4.tcp.ftp_imap_pop_smtp.auth_failed = 1;
     return(1);
     break;
   }
@@ -632,11 +632,11 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str
 
 #ifdef FTP_DEBUG
 	printf("%s() [user: %s][pwd: %s]\n", __FUNCTION__,
-	       flow->ftp_imap_pop_smtp.username, flow->ftp_imap_pop_smtp.password);
+	       flow->l4.tcp.ftp_imap_pop_smtp.username, flow->l4.tcp.ftp_imap_pop_smtp.password);
 #endif
 
-	if(flow->ftp_imap_pop_smtp.password[0] == '\0' &&
-	   flow->ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */
+	if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0' &&
+	   flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */
 	  flow->ftp_control_stage = 0;
 	else
 	  ndpi_int_ftp_control_add_connection(ndpi_struct, flow);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 105ef1bca..b2116a8fe 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -370,8 +370,9 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
   /* Good reference for future implementations:
    * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */
 
-  snprintf((char*)flow->http.detected_os,
-	   sizeof(flow->http.detected_os), "%s", ua);
+  if(flow->http.detected_os == NULL) {
+    flow->http.detected_os = ndpi_strdup(ua);
+  }
 }
 
 /* ************************************************************* */
@@ -606,9 +607,14 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     if(strlen(flow->host_server_name) > 0) ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1);
 
     if(packet->forwarded_line.ptr) {
-      len = ndpi_min(packet->forwarded_line.len, sizeof(flow->http.nat_ip)-1);
-      strncpy((char*)flow->http.nat_ip, (char*)packet->forwarded_line.ptr, len);
-      flow->http.nat_ip[len] = '\0';
+      if(flow->http.nat_ip == NULL) {
+        len = packet->forwarded_line.len;
+        flow->http.nat_ip = ndpi_malloc(len + 1);
+        if(flow->http.nat_ip == NULL) {
+          strncpy(flow->http.nat_ip, (char*)packet->forwarded_line.ptr, len);
+          flow->http.nat_ip[len] = '\0';
+        }
+      }
     }
 
     ndpi_http_parse_subprotocol(ndpi_struct, flow);
@@ -1074,9 +1080,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       else
 	flow->http.request_version = 0;
 
-      /* Set the first found headers in request */
-      flow->http.num_request_headers = packet->http_num_headers;
-
       /* Check for Ookla */
       if((packet->referer_line.len > 0)
 	 && ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) {
@@ -1155,9 +1158,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 
       ndpi_parse_packet_line_info(ndpi_struct, flow);
 
-      // Add more found HTTP request headers.
-      flow->http.num_request_headers+=packet->http_num_headers;
-
       if(packet->parsed_lines <= 1) {
         /* wait some packets in case request is split over more than 2 packets */
         if(flow->packet_counter < 5) {
@@ -1213,9 +1213,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
     ndpi_parse_packet_line_info(ndpi_struct, flow);
     check_content_type_and_change_protocol(ndpi_struct, flow);
 
-    if(packet->packet_direction == 1 /* server -> client */)
-      flow->http.num_response_headers += packet->http_num_headers; /* flow structs are initialized with zeros */
-
     if(packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) {
       NDPI_LOG_DBG2(ndpi_struct, "empty line. check_http_payload\n");
       check_http_payload(ndpi_struct, flow);
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index 8a4e8fa2e..317ac1848 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -177,16 +177,16 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	  if(user) {
 	    char *pwd;
 
-	    snprintf(flow->ftp_imap_pop_smtp.username,
-		     sizeof(flow->ftp_imap_pop_smtp.username),
+	    snprintf(flow->l4.tcp.ftp_imap_pop_smtp.username,
+		     sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username),
 		     "%s", user);
 
 	    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
 
 	    pwd = strtok_r(NULL, " \"\r\n", &saveptr);
 	    if(pwd) {
-	      snprintf(flow->ftp_imap_pop_smtp.password,
-	               sizeof(flow->ftp_imap_pop_smtp.password),
+	      snprintf(flow->l4.tcp.ftp_imap_pop_smtp.password,
+		       sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password),
 	               "%s", pwd);
 	    }
 	  }
@@ -320,7 +320,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	 || (flow->l4.tcp.mail_imap_stage == 5)
 	 || (flow->l4.tcp.mail_imap_stage == 7)
         ) {
-	if((flow->ftp_imap_pop_smtp.username[0] != '\0')
+	if((flow->l4.tcp.ftp_imap_pop_smtp.username[0] != '\0')
 	   || (flow->l4.tcp.mail_imap_stage >= 7)) {
 	  NDPI_LOG_INFO(ndpi_struct, "found MAIL_IMAP\n");
 	  ndpi_int_mail_imap_add_connection(ndpi_struct, flow);
diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c
index 483c4da35..125fe5da1 100644
--- a/src/lib/protocols/mail_pop.c
+++ b/src/lib/protocols/mail_pop.c
@@ -77,8 +77,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
 	       && (packet->payload[1] == 'S' || packet->payload[1] == 's')
 	       && (packet->payload[2] == 'E' || packet->payload[2] == 'e')
 	       && (packet->payload[3] == 'R' || packet->payload[3] == 'r')) {
-      ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.username,
-				 sizeof(flow->ftp_imap_pop_smtp.username), 5,
+      ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.username,
+				 sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 5,
 				 packet->payload, packet->payload_packet_len);
 
       ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
@@ -88,8 +88,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
 	      && (packet->payload[1] == 'A' || packet->payload[1] == 'a')
 	      && (packet->payload[2] == 'S' || packet->payload[2] == 's')
 	      && (packet->payload[3] == 'S' || packet->payload[3] == 's')) {
-      ndpi_user_pwd_payload_copy((u_int8_t*)flow->ftp_imap_pop_smtp.password,
-				 sizeof(flow->ftp_imap_pop_smtp.password), 5,
+      ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.password,
+				 sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5,
 				 packet->payload, packet->payload_packet_len);
 
       ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
@@ -182,7 +182,7 @@ void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct
       if(flow->l4.tcp.mail_pop_stage > 0) {
 	NDPI_LOG_INFO(ndpi_struct, "mail_pop identified\n");
 	
-	if((flow->ftp_imap_pop_smtp.password[0] != '\0')
+	if((flow->l4.tcp.ftp_imap_pop_smtp.password[0] != '\0')
 	   || (flow->l4.tcp.mail_pop_stage > 3)) {
 	  ndpi_int_mail_pop_add_connection(ndpi_struct, flow);
 	  popInitExtraPacketProcessing(flow);
@@ -222,7 +222,7 @@ int ndpi_extra_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_str
   
   ndpi_search_mail_pop_tcp(ndpi_struct, flow);
 
-  rc = (flow->ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
+  rc = (flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
   
 #ifdef POP_DEBUG
   printf("**** %s() [rc: %d]\n", __FUNCTION__, rc);
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index e1d98dd35..ce3ba4058 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -93,19 +93,19 @@ static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi
       user_len = i - 1;
   }
   if(user_len > 0) {
-    user_len = ndpi_min(user_len, sizeof(flow->ftp_imap_pop_smtp.username) - 1);
+    user_len = ndpi_min(user_len, sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username) - 1);
 
-    memcpy(flow->ftp_imap_pop_smtp.username, out + 1, user_len);
-    flow->ftp_imap_pop_smtp.username[user_len] = '\0';
+    memcpy(flow->l4.tcp.ftp_imap_pop_smtp.username, out + 1, user_len);
+    flow->l4.tcp.ftp_imap_pop_smtp.username[user_len] = '\0';
 
     ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
 
     if(1 + user_len + 1 < out_len) {
       unsigned int pwd_len;
 
-      pwd_len = ndpi_min(out_len - (1 + user_len + 1), sizeof(flow->ftp_imap_pop_smtp.password) - 1);
-      memcpy(flow->ftp_imap_pop_smtp.password, out + 1 + user_len + 1, pwd_len);
-      flow->ftp_imap_pop_smtp.password[pwd_len] = '\0';
+      pwd_len = ndpi_min(out_len - (1 + user_len + 1), sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password) - 1);
+      memcpy(flow->l4.tcp.ftp_imap_pop_smtp.password, out + 1 + user_len + 1, pwd_len);
+      flow->l4.tcp.ftp_imap_pop_smtp.password[pwd_len] = '\0';
     }
   }
   ndpi_free(out);
@@ -182,25 +182,25 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	   && (packet->line[a].ptr[3] == 'O' || packet->line[a].ptr[3] == 'o')
 	   && packet->line[a].ptr[4] == ' ') {
 	  flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_HELO_EHLO;
-	  flow->ftp_imap_pop_smtp.auth_found = 0;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 0;
 	} else if((packet->line[a].ptr[0] == 'M' || packet->line[a].ptr[0] == 'm')
 		  && (packet->line[a].ptr[1] == 'A' || packet->line[a].ptr[1] == 'a')
 		  && (packet->line[a].ptr[2] == 'I' || packet->line[a].ptr[2] == 'i')
 		  && (packet->line[a].ptr[3] == 'L' || packet->line[a].ptr[3] == 'l')
 		  && packet->line[a].ptr[4] == ' ') {
 	  flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_MAIL;
-	  flow->ftp_imap_pop_smtp.auth_found = 0;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 0;
 	  /* We shouldn't be here if there are credentials */
-	  flow->ftp_imap_pop_smtp.auth_done = 1;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1;
 	} else if((packet->line[a].ptr[0] == 'R' || packet->line[a].ptr[0] == 'r')
 		  && (packet->line[a].ptr[1] == 'C' || packet->line[a].ptr[1] == 'c')
 		  && (packet->line[a].ptr[2] == 'P' || packet->line[a].ptr[2] == 'p')
 		  && (packet->line[a].ptr[3] == 'T' || packet->line[a].ptr[3] == 't')
 		  && packet->line[a].ptr[4] == ' ') {
 	  flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_RCPT;
-	  flow->ftp_imap_pop_smtp.auth_found = 0;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 0;
 	  /* We shouldn't be here if there are credentials */
-	  flow->ftp_imap_pop_smtp.auth_done = 1;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1;
 	} else if((packet->line[a].ptr[0] == 'A' || packet->line[a].ptr[0] == 'a')
 		  && (packet->line[a].ptr[1] == 'U' || packet->line[a].ptr[1] == 'u')
 		  && (packet->line[a].ptr[2] == 'T' || packet->line[a].ptr[2] == 't')
@@ -209,7 +209,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef SMTP_DEBUG
 	  printf("%s() AUTH [%.*s]\n", __FUNCTION__, packet->line[a].len, packet->line[a].ptr);
 #endif
-	  flow->ftp_imap_pop_smtp.auth_found = 1;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 1;
 	  if(packet->line[a].len >= 6) {
             if(packet->line[a].ptr[5] == 'L' || packet->line[a].ptr[5] == 'l') {
 	      flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_LOGIN;
@@ -219,7 +219,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	      /* AUTH PLAIN: username and pwd here */
 	      get_credentials_auth_plain(ndpi_struct, flow,
 					 packet->line[a].ptr, packet->line[a].len);
-	      flow->ftp_imap_pop_smtp.auth_done = 1;
+	      flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1;
 	    }
 	  }
 	} else {
@@ -228,9 +228,9 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	    printf("%s() => [%.*s]\n", __FUNCTION__, packet->line[a].len, packet->line[a].ptr);
 #endif
 
-	    if(flow->ftp_imap_pop_smtp.auth_found &&
+	    if(flow->l4.tcp.ftp_imap_pop_smtp.auth_found &&
 	       (flow->l4.tcp.smtp_command_bitmask & SMTP_BIT_AUTH_LOGIN)) {
-	      if(flow->ftp_imap_pop_smtp.username[0] == '\0') {
+	      if(flow->l4.tcp.ftp_imap_pop_smtp.username[0] == '\0') {
 		/* Username */
 		u_int8_t buf[48];
 		u_char *out;
@@ -240,22 +240,22 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 					   packet->line[a].ptr, packet->line[a].len);
 
 #ifdef SMTP_DEBUG
-		printf("%s() => [auth: %u] (username) [%s]\n", __FUNCTION__, flow->ftp_imap_pop_smtp.auth_found, buf);
+		printf("%s() => [auth: %u] (username) [%s]\n", __FUNCTION__, flow->l4.tcp.ftp_imap_pop_smtp.auth_found, buf);
 #endif
 
 		out = ndpi_base64_decode((const u_char*)buf, (size_t)strlen((const char*)buf), &out_len);
 
 		if(out) {
-		  size_t len = ndpi_min(out_len, sizeof(flow->ftp_imap_pop_smtp.username) - 1);
+		  size_t len = ndpi_min(out_len, sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username) - 1);
 
-		  memcpy(flow->ftp_imap_pop_smtp.username, out, len);
-		  flow->ftp_imap_pop_smtp.username[len] = '\0';
+		  memcpy(flow->l4.tcp.ftp_imap_pop_smtp.username, out, len);
+		  flow->l4.tcp.ftp_imap_pop_smtp.username[len] = '\0';
 
 		  ndpi_free(out);
 		}
 		
 		ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
-	      } else if(flow->ftp_imap_pop_smtp.password[0] == '\0') {
+	      } else if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') {
 		/* Password */
 		u_int8_t buf[48];
 		u_char *out;
@@ -265,23 +265,23 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 					   packet->line[a].ptr, packet->line[a].len);
 
 #ifdef SMTP_DEBUG
-		printf("%s() => [auth: %u] (password) [%s]\n", __FUNCTION__, flow->ftp_imap_pop_smtp.auth_found, buf);
+		printf("%s() => [auth: %u] (password) [%s]\n", __FUNCTION__, flow->l4.tcp.ftp_imap_pop_smtp.auth_found, buf);
 #endif
 
 		out = ndpi_base64_decode((const u_char*)buf, (size_t)strlen((const char*)buf), &out_len);
 
 		if(out) {
-		  size_t len = ndpi_min(out_len, sizeof(flow->ftp_imap_pop_smtp.password) - 1);
+		  size_t len = ndpi_min(out_len, sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password) - 1);
 
-		  memcpy(flow->ftp_imap_pop_smtp.password, out, len);
-		  flow->ftp_imap_pop_smtp.password[len] = '\0';
+		  memcpy(flow->l4.tcp.ftp_imap_pop_smtp.password, out, len);
+		  flow->l4.tcp.ftp_imap_pop_smtp.password[len] = '\0';
 
 		  ndpi_free(out);
 		}
 
 		ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
 
-		flow->ftp_imap_pop_smtp.auth_done = 1;
+		flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1;
 	      } else {
 		flow->host_server_name[0] = '\0';
 		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
@@ -302,8 +302,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	   && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[6] == 'l')
 	   && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[7] == 's')) {
 	  flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS;
-	  flow->ftp_imap_pop_smtp.auth_tls = 1;
-	  flow->ftp_imap_pop_smtp.auth_done = 1;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_tls = 1;
+	  flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1;
 	}
       }
 
@@ -341,7 +341,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 #ifdef SMTP_DEBUG
       printf("%s() [bit_count: %u][%s]\n", __FUNCTION__,
-	     bit_count, flow->ftp_imap_pop_smtp.password);
+	     bit_count, flow->l4.tcp.ftp_imap_pop_smtp.password);
 #endif
 
       /* Only if we don't have already set the protocol via hostname matching */
@@ -379,7 +379,7 @@ int ndpi_extra_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_st
 
   ndpi_search_mail_smtp_tcp(ndpi_struct, flow);
 
-  rc = (flow->ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
+  rc = (flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') ? 1 : 0;
 
 #ifdef SMTP_DEBUG
   printf("**** %s() [rc: %d]\n", __FUNCTION__, rc);
diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c
index 31fa720d4..1b33c41d7 100644
--- a/src/lib/protocols/thunder.c
+++ b/src/lib/protocols/thunder.c
@@ -32,18 +32,7 @@
 static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 
 					    struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */)
 {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  struct ndpi_id_struct *src = flow->src;
-  struct ndpi_id_struct *dst = flow->dst;
-
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER, NDPI_PROTOCOL_UNKNOWN);
-
-  if (src != NULL) {
-    src->thunder_ts = packet->current_time_ms;
-  }
-  if (dst != NULL) {
-    dst->thunder_ts = packet->current_time_ms;
-  }
 }
 
 
@@ -149,22 +138,6 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct
   struct ndpi_id_struct *src = flow->src;
   struct ndpi_id_struct *dst = flow->dst;
 
-
-  if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_THUNDER) {
-    if (src != NULL && ((u_int32_t)
-			(packet->current_time_ms - src->thunder_ts) < ndpi_struct->thunder_timeout)) {
-      NDPI_LOG_DBG2(ndpi_struct,
-	       "thunder : save src connection packet detected\n");
-      src->thunder_ts = packet->current_time_ms;
-    } else if (dst != NULL && ((u_int32_t)
-			       (packet->current_time_ms - dst->thunder_ts) < ndpi_struct->thunder_timeout)) {
-      NDPI_LOG_DBG2(ndpi_struct,
-	       "thunder : save dst connection packet detected\n");
-      dst->thunder_ts = packet->current_time_ms;
-    }
-    return;
-  }
-
   if (packet->payload_packet_len > 5
       && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) {
     NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n");
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 87553de87..b8f8159e5 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -2030,6 +2030,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		u_int16_t s_offset = offset+extension_offset;
 		u_int8_t version_len = packet->payload[s_offset];
 		char version_str[256];
+		char buf_ver_tmp[16];
 		size_t version_str_len = 0;
 		version_str[0] = 0;
 #ifdef DEBUG_TLS
@@ -2049,14 +2050,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 #ifdef DEBUG_TLS
 		    printf("Client TLS [TLS version: %s/0x%04X]\n",
-			   ndpi_ssl_version2str(flow, tls_version, &unknown_tls_version), tls_version);
+			   ndpi_ssl_version2str(buf_ver_tmp, sizeof(buf_ver_tmp), tls_version, &unknown_tls_version), tls_version);
 #endif
 
 		    if((version_str_len+8) < sizeof(version_str)) {
 		      int rc = snprintf(&version_str[version_str_len],
 					sizeof(version_str) - version_str_len, "%s%s",
 					(version_str_len > 0) ? "," : "",
-					ndpi_ssl_version2str(flow, tls_version, &unknown_tls_version));
+					ndpi_ssl_version2str(buf_ver_tmp, sizeof(buf_ver_tmp), tls_version, &unknown_tls_version));
 		      if(rc <= 0)
 			break;
 		      else
diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c
index 6b3e9625c..b5b305ecb 100644
--- a/src/lib/protocols/zattoo.c
+++ b/src/lib/protocols/zattoo.c
@@ -47,30 +47,16 @@ u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndp
 }
 
 #define ZATTOO_DETECTED \
-      if (src != NULL)				 \
-	src->zattoo_ts = packet->current_time_ms; \
-      if (dst != NULL)				 \
-	dst->zattoo_ts = packet->current_time_ms; \
-						 \
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN)
 
 void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  struct ndpi_id_struct *src = flow->src;
-  struct ndpi_id_struct *dst = flow->dst;
 
   u_int16_t i;
 
   NDPI_LOG_DBG(ndpi_struct, "search ZATTOO\n");
 
-  if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) {
-    if(src != NULL && ((u_int32_t) (packet->current_time_ms - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout))
-      src->zattoo_ts = packet->current_time_ms;
-    if (dst != NULL && ((u_int32_t) (packet->current_time_ms - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout))
-      dst->zattoo_ts = packet->current_time_ms;
-    return;
-  }
   /* search over TCP */
   if(packet->tcp != NULL) {
     if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) {