Zoom: faster detection of P2P flows (#2467)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-06-07 09:50:41 +0200
committer: GitHub <noreply@github.com> 2024-06-07 09:50:41 +0200
commit: 070a0908b30c055bf0590fb0d10557c1acf70401 (patch)
tree: d13a0ddffabcad6f45e53aa7d4c03adca1e306e6 /tests/cfgs/default/result
parent: 619005c5b22f85479201a60002fe92373232f59b (diff)
3 files changed, 18 insertions, 21 deletions
diff --git a/tests/cfgs/default/result/zoom.pcap.out b/tests/cfgs/default/result/zoom.pcap.out
index 09d3ca51a..7df3540be 100644
--- a/tests/cfgs/default/result/zoom.pcap.out
+++ b/tests/cfgs/default/result/zoom.pcap.out
@@ -1,7 +1,7 @@
 Guessed flow protos:	2
 
 DPI Packets (TCP):	110	(7.86 pkts/flow)
-DPI Packets (UDP):	40	(2.22 pkts/flow)
+DPI Packets (UDP):	43	(2.39 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 32 (flows)
@@ -48,11 +48,11 @@ JA3 Host Stats:
 	1	 192.168.1.117            	 4      
 
 
-	1	UDP 192.168.1.117:58327 <-> 109.94.160.99:8801 [proto: 338.189/SRTP.Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][10 pkts/7806 bytes <-> 175 pkts/184434 bytes][Goodput ratio: 95/96][1.44 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/8 32/35 11/5][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 781/1054 1071/1071 444/129][PLAIN TEXT (replace)][Plen Bins: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,97,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 192.168.1.117:58327 <-> 109.94.160.99:8801 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][10 pkts/7806 bytes <-> 175 pkts/184434 bytes][Goodput ratio: 95/96][1.44 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/8 32/35 11/5][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 781/1054 1071/1071 444/129][PLAIN TEXT (replace)][Plen Bins: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,97,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP 192.168.1.117:54871 <-> 109.94.160.99:443 [proto: 91.189/TLS.Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 11][cat: Video/26][127 pkts/54118 bytes <-> 83 pkts/17526 bytes][Goodput ratio: 84/69][2.00 sec][Hostname/SNI: zoomfrn99mmr.zoom.us][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 17/9 950/156 93/24][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 426/211 1506/1506 458/364][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: c51de225944b7d58d48c0f99f86ba8e6][JA4: t12d930700_72a4e8475a2e_4446390ac224][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: OU=Domain Control Validated, CN=*.zoom.us][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Firefox][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,20,12,4,2,6,3,2,2,2,4,5,10,1,0,0,1,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]
 	3	TCP 192.168.1.117:54866 <-> 52.202.62.236:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 10][cat: Video/26][16 pkts/3097 bytes <-> 17 pkts/18622 bytes][Goodput ratio: 71/95][0.61 sec][Hostname/SNI: www3.zoom.us][(Advertised) ALPNs: http/1.1][bytes ratio: -0.715 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/28 114/143 47/51][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 194/1095 864/1506 265/618][TLSv1.2][JA3C: 535aca3d99fc247509cd50933cd71d37][JA4: t12d8008ht_9cedc1f1428b_046e095b7c4a][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: OU=Domain Control Validated, CN=*.zoom.us][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Firefox][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,5,0,0,0,5,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,63,0,0]
 	4	TCP 192.168.1.117:54865 <-> 52.202.62.196:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 10][cat: Video/26][15 pkts/2448 bytes <-> 15 pkts/16505 bytes][Goodput ratio: 66/95][0.50 sec][Hostname/SNI: zoom.us][(Advertised) ALPNs: http/1.1][bytes ratio: -0.742 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31/22 112/136 46/46][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 163/1100 687/1506 200/623][TLSv1.2][JA3C: 535aca3d99fc247509cd50933cd71d37][JA4: t12d8008ht_9cedc1f1428b_046e095b7c4a][ServerNames: *.zoom.us,zoom.us][JA3S: 3c30f2c064a3aed8cd95de8d68c726a6][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: OU=Domain Control Validated, CN=*.zoom.us][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Firefox][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,6,0,0,0,6,0,0,6,0,0,0,0,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,6,0,0,0,0,57,0,0]
-	5	UDP 10.140.117.35:45634 <-> 193.122.35.237:8801 [VLAN: 113][proto: GTP:338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][34 pkts/5678 bytes <-> 47 pkts/7940 bytes][Goodput ratio: 48/49][154.35 sec][bytes ratio: -0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 39/2 1919/1250 3741/3741 1619/1357][Pkt Len c2s/s2c min/avg/max/stddev: 167/167 167/169 167/174 0/3][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 10.140.117.35:45634 <-> 193.122.35.237:8801 [VLAN: 113][proto: GTP:189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][34 pkts/5678 bytes <-> 47 pkts/7940 bytes][Goodput ratio: 48/49][154.35 sec][bytes ratio: -0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 39/2 1919/1250 3741/3741 1619/1357][Pkt Len c2s/s2c min/avg/max/stddev: 167/167 167/169 167/174 0/3][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	TCP 192.168.1.117:54868 <-> 213.19.144.104:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 11][cat: Video/26][17 pkts/2534 bytes <-> 13 pkts/7180 bytes][Goodput ratio: 56/88][0.41 sec][Hostname/SNI: zoomam104zc.zoom.us][bytes ratio: -0.478 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/41 87/168 27/61][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 149/552 642/1506 175/612][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: c51de225944b7d58d48c0f99f86ba8e6][JA4: t12d930700_72a4e8475a2e_4446390ac224][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: OU=Domain Control Validated, CN=*.zoom.us][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Firefox][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 21,6,6,6,6,0,0,6,0,0,0,0,0,6,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,21,0,0]
 	7	TCP 192.168.1.117:54869 <-> 213.244.140.85:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 11][cat: Video/26][16 pkts/2480 bytes <-> 13 pkts/7182 bytes][Goodput ratio: 57/88][0.39 sec][Hostname/SNI: zoomfr85zc.zoom.us][bytes ratio: -0.487 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27/41 202/224 52/72][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 155/552 642/1506 178/612][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: c51de225944b7d58d48c0f99f86ba8e6][JA4: t12d930700_72a4e8475a2e_4446390ac224][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: OU=Domain Control Validated, CN=*.zoom.us][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Firefox][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 21,6,6,6,6,0,0,6,0,0,0,0,0,6,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,21,0,0]
 	8	TCP 192.168.1.117:54867 <-> 213.19.144.105:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 11][cat: Video/26][16 pkts/2468 bytes <-> 13 pkts/7188 bytes][Goodput ratio: 58/88][0.42 sec][Hostname/SNI: zoomam105zc.zoom.us][bytes ratio: -0.489 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/43 147/178 40/63][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 154/553 642/1506 179/612][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: c51de225944b7d58d48c0f99f86ba8e6][JA4: t12d930700_72a4e8475a2e_4446390ac224][ServerNames: *.zoom.us,zoom.us][JA3S: ada793d0f02b028a6c840504edccb652][Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2][Subject: OU=Domain Control Validated, CN=*.zoom.us][Certificate SHA-1: F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8][Firefox][Validity: 2019-03-25 19:38:42 - 2021-03-25 19:38:42][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 21,6,6,6,6,0,0,6,0,0,0,0,0,6,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,21,0,0]
@@ -62,8 +62,8 @@ JA3 Host Stats:
 	12	TCP 192.168.1.117:54863 <-> 167.99.215.164:4434 [proto: 91.26/TLS.ntop][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Network/14][10 pkts/2198 bytes <-> 10 pkts/2067 bytes][Goodput ratio: 69/68][5.26 sec][Hostname/SNI: dati.ntop.org][bytes ratio: 0.031 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 645/740 5003/5003 1647/1741][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 220/207 932/1292 283/364][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **][Risk Score: 60][Risk Info: No ALPN][TLSv1.2][JA3C: a795593605a13211941d44505b4d1e39][JA4: t12d800700_64d9932cae36_4446390ac224][JA3S: dd4b012f7a008e741554bd0a4ed12920][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 16,0,0,0,34,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0]
 	13	TCP 192.168.1.117:54854 -> 172.217.21.72:443 [proto: 91.239/TLS.GoogleServices][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][4 pkts/1060 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][6.46 sec][Hostname/SNI: www.googletagmanager.com][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][Risk: ** Obsolete TLS (v1.1 or older) **** Unidirectional Traffic **** Probing attempt **][Risk Score: 160][Risk Info: No server to client traffic / TLSv1 / TCP connection with unidirectional traffic][TLSv1][JA3C: d78489b860c8bf7838a6ff0b4d131541][JA4: t10d0909h2_61c4dbd01224_cc731f12afbb][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	14	TCP 192.168.1.117:53867 <-> 104.199.65.42:80 [proto: 7/HTTP][IP: 126/Google][ClearText][Confidence: Match by port][DPI packets: 6][cat: Web/5][4 pkts/710 bytes <-> 2 pkts/242 bytes][Goodput ratio: 63/45][0.09 sec][bytes ratio: 0.492 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30/64 31/64 32/64 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/121 178/121 329/121 115/0][Plen Bins: 0,50,0,0,0,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	15	UDP 192.168.1.117:61731 <-> 109.94.160.99:8801 [proto: 338.189/SRTP.Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][4 pkts/372 bytes <-> 4 pkts/290 bytes][Goodput ratio: 55/39][0.11 sec][bytes ratio: 0.124 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/35 28/27 49/47 18/20][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 93/72 151/93 40/14][PLAIN TEXT (replace)][Plen Bins: 50,25,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	16	UDP 192.168.1.117:60620 <-> 109.94.160.99:8801 [proto: 338.189/SRTP.Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][4 pkts/408 bytes <-> 3 pkts/222 bytes][Goodput ratio: 59/41][1.24 sec][bytes ratio: 0.295 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/31 413/16 1209/31 563/16][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 102/74 149/85 33/10][PLAIN TEXT (replace)][Plen Bins: 28,57,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	15	UDP 192.168.1.117:61731 <-> 109.94.160.99:8801 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][4 pkts/372 bytes <-> 4 pkts/290 bytes][Goodput ratio: 55/39][0.11 sec][bytes ratio: 0.124 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/35 28/27 49/47 18/20][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 93/72 151/93 40/14][PLAIN TEXT (replace)][Plen Bins: 50,25,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	16	UDP 192.168.1.117:60620 <-> 109.94.160.99:8801 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][4 pkts/408 bytes <-> 3 pkts/222 bytes][Goodput ratio: 59/41][1.24 sec][bytes ratio: 0.295 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/31 413/16 1209/31 563/16][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 102/74 149/85 33/10][PLAIN TEXT (replace)][Plen Bins: 28,57,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	17	UDP 192.168.1.117:23903 <-> 162.255.37.14:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.19 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/9 10/9 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	18	UDP 192.168.1.117:23903 <-> 162.255.38.14:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	19	UDP 192.168.1.117:23903 <-> 162.255.38.14:3479 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][3 pkts/258 bytes <-> 3 pkts/222 bytes][Goodput ratio: 51/43][0.18 sec][bytes ratio: 0.075 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 10/9 10/10 10/10 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/74 86/74 86/74 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/zoom2.pcap.out b/tests/cfgs/default/result/zoom2.pcap.out
index 4149f4120..95c1ead42 100644
--- a/tests/cfgs/default/result/zoom2.pcap.out
+++ b/tests/cfgs/default/result/zoom2.pcap.out
@@ -30,7 +30,7 @@ JA3 Host Stats:
 	1	 192.168.1.178            	 1      
 
 
-	1	UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	3	UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][JA4: t13d141200_ad449869e501_b11171733d3d][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0]
diff --git a/tests/cfgs/default/result/zoom_p2p.pcapng.out b/tests/cfgs/default/result/zoom_p2p.pcapng.out
index 502eeb12a..12759b069 100644
--- a/tests/cfgs/default/result/zoom_p2p.pcapng.out
+++ b/tests/cfgs/default/result/zoom_p2p.pcapng.out
@@ -1,23 +1,20 @@
-Guessed flow protos:	4
-
-DPI Packets (UDP):	38	(3.80 pkts/flow)
+DPI Packets (UDP):	28	(2.80 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
-Confidence DPI (partial cache): 4 (flows)
-Confidence DPI              : 8 (flows)
-Num dissector calls: 780 (65.00 diss/flow)
+Confidence DPI              : 12 (flows)
+Num dissector calls: 514 (42.83 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/12/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       8/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     0/4/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache stun_zoom:  4/4/4 (insert/search/found)
+LRU cache stun_zoom:  4/0/0 (insert/search/found)
 Automa host:          3/0 (search/found)
 Automa domain:        3/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   18/0 (search/found)
+Patricia risk mask:   20/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
@@ -31,9 +28,9 @@ Zoom	691	262429	8
 
 Acceptable                     763 271804        12           
 
-	1	UDP 192.168.12.156:39065 <-> 192.168.1.226:46757 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 7][cat: Video/26][148 pkts/108673 bytes <-> 174 pkts/110457 bytes][Goodput ratio: 94/93][1.67 sec][bytes ratio: -0.008 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/8 88/71 15/12][Pkt Len c2s/s2c min/avg/max/stddev: 127/98 734/635 1269/1302 277/371][PLAIN TEXT (192.168.1.226)][Plen Bins: 0,0,9,1,0,0,0,6,1,0,0,0,0,2,5,11,10,5,4,4,2,0,0,1,2,2,0,0,0,0,0,1,16,0,0,0,3,1,5,0,0,0,0,0,0,0,0,0]
-	2	UDP 192.168.12.156:49579 -> 10.78.14.178:49586 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 9][cat: Video/26][154 pkts/19404 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][4.51 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/0 82/0 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 126/0 126/0 126/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (10.78.14.178)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	UDP 192.168.12.156:42208 -> 10.78.14.178:47312 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 9][cat: Video/26][130 pkts/16380 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][2.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/0 82/0 18/0][Pkt Len c2s/s2c min/avg/max/stddev: 126/0 126/0 126/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (10.78.14.178)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 192.168.12.156:39065 <-> 192.168.1.226:46757 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][148 pkts/108673 bytes <-> 174 pkts/110457 bytes][Goodput ratio: 94/93][1.67 sec][bytes ratio: -0.008 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/8 88/71 15/12][Pkt Len c2s/s2c min/avg/max/stddev: 127/98 734/635 1269/1302 277/371][PLAIN TEXT (192.168.1.226)][Plen Bins: 0,0,9,1,0,0,0,6,1,0,0,0,0,2,5,11,10,5,4,4,2,0,0,1,2,2,0,0,0,0,0,1,16,0,0,0,3,1,5,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.12.156:49579 -> 10.78.14.178:49586 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][154 pkts/19404 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][4.51 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/0 82/0 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 126/0 126/0 126/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (10.78.14.178)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 192.168.12.156:42208 -> 10.78.14.178:47312 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][130 pkts/16380 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][2.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/0 82/0 18/0][Pkt Len c2s/s2c min/avg/max/stddev: 126/0 126/0 126/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (10.78.14.178)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	ICMP 206.247.10.253:0 -> 192.168.12.156:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][40 pkts/4560 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][38.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 895/0 2027/0 1000/0][Pkt Len c2s/s2c min/avg/max/stddev: 114/0 114/0 114/0 0/0][Risk: ** Susp Entropy **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 5.319 (Executable?)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	UDP 192.168.12.1:17500 -> 192.168.12.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][16 pkts/2784 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][450.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30007/0 30010/0 30013/0 9/0][Pkt Len c2s/s2c min/avg/max/stddev: 174/0 174/0 174/0 0/0][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	UDP 192.168.12.156:38453 -> 206.247.87.213:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1974/0 2015/0 2040/0 19/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -41,5 +38,5 @@ Acceptable                     763 271804        12
 	8	UDP 192.168.12.156:42208 -> 206.247.10.253:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1990/0 2013/0 2032/0 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	9	UDP 192.168.12.156:49579 -> 206.247.10.253:3478 [proto: 78.189/STUN.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Video/26][20 pkts/1720 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][38.24 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1990/0 2013/0 2030/0 12/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	10	ICMP 206.247.87.213:0 -> 192.168.12.156:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][13 pkts/1482 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][38.30 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3298/0 22119/0 6017/0][Pkt Len c2s/s2c min/avg/max/stddev: 114/0 114/0 114/0 0/0][Risk: ** Susp Entropy **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 5.315 (Executable?)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	11	UDP 192.168.12.156:38453 -> 192.168.1.226:41036 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI (partial cache)][DPI packets: 5][cat: Video/26][5 pkts/635 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][0.06 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (192.168.1.226)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	11	UDP 192.168.12.156:38453 -> 192.168.1.226:41036 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][5 pkts/635 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][0.06 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (192.168.1.226)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	12	UDP 192.168.12.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][3 pkts/549 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][384.13 sec][Hostname/SNI: _ipps._tcp.local][_ipps._tcp.local][PLAIN TEXT (webdav)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-06-07 09:50:41 +0200
committer	GitHub <noreply@github.com>	2024-06-07 09:50:41 +0200
commit	070a0908b30c055bf0590fb0d10557c1acf70401 (patch)
tree	d13a0ddffabcad6f45e53aa7d4c03adca1e306e6 /tests/cfgs/default/result
parent	619005c5b22f85479201a60002fe92373232f59b (diff)