9 files changed, 76 insertions, 35 deletions

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 54ce263e6..d095e14ff 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8579,7 +8579,8 @@ static ndpi_protocol_match host_match[] = {
   { "e7768.b.akamaiedge.net", NULL, "e7768\\.b\\.akamaiedge" TLD,      "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
   { "e4593.dspg.akamaiedge.net", NULL, "e4593\\.dspg\\.akamaiedge" TLD,"Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
   { "e4593.g.akamaiedge.net", NULL, "e4593\\.g\\.akamaiedge" TLD,      "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
-
+  { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
+  
   { ".tuenti.com", NULL, "\\.tuenti" TLD,                              "Tuenti",           NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
 
   { ".twttr.com", NULL, "\\.twttr" TLD,                                "Twitter",          NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
@@ -8669,7 +8670,6 @@ static ndpi_protocol_match host_match[] = {
   { "login.live.com", NULL, "login\\.live" TLD,                        "Microsoft",        NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
 
   { "bn1301.storage.live.com", NULL, "bn1301\\.storage\\.live" TLD,               "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE,NDPI_PROTOCOL_CATEGORY_CLOUD,  NDPI_PROTOCOL_ACCEPTABLE },
-  { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
   { "skyapi.live.net", NULL, "skyapi\\.live" TLD,                                 "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
   { "d.docs.live.net", NULL, "d\\.docs\\.live" TLD,                               "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
   { "onedrive.live.com", NULL, "onedrive\\.live" TLD,                             "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 6e99d522c..2c05d8f84 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4578,6 +4578,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
     if(flow->check_extra_packets) {
       ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_tick_l, src, dst);
+      /* Update in case of new match */
+      ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
       return(ret);
     } else
       goto ret_protocols;
@@ -6053,6 +6055,25 @@ static int hyperscanEventHandler(unsigned int id, unsigned long long from,
 
 #endif
 
+/* **************************************** */
+
+static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_t new_proto) {
+  /* Sometimes certificates are more generic than previously identified protocols */
+
+  if((previous_proto == NDPI_PROTOCOL_UNKNOWN)
+     || (previous_proto == new_proto))
+    return(0);
+  
+  switch(previous_proto) {
+  case NDPI_PROTOCOL_WHATSAPP_CALL:
+  case NDPI_PROTOCOL_WHATSAPP_FILES:
+    if(new_proto == NDPI_PROTOCOL_WHATSAPP)
+      return(1);
+  }
+
+  return(0);
+}
+
 /* ****************************************************** */
 
 static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_str,
@@ -6109,7 +6130,8 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu
   }
 #endif
 
-  if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
+  if((matching_protocol_id != NDPI_PROTOCOL_UNKNOWN)
+     && (!ndpi_is_more_generic_protocol(packet->detected_protocol_stack[0], matching_protocol_id))) {
     /* Move the protocol on slot 0 down one position */
     packet->detected_protocol_stack[1] = master_protocol_id,
       packet->detected_protocol_stack[0] = matching_protocol_id;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 448062f47..fbb0578f8 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -38,7 +38,6 @@ struct stun_packet_header {
   u_int8_t  transaction_id[8];
 };
 
-
 /* ************************************************************ */
 
 u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 261f2ab28..c65d4fc69 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -67,7 +67,7 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
 						 struct ndpi_flow_struct *flow, u_int32_t protocol) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  protocol = NDPI_PROTOCOL_TLS;
+  // protocol = NDPI_PROTOCOL_TLS;
 
   if(packet->tcp != NULL) {
     switch(protocol) {
@@ -424,9 +424,25 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
 
 	      if(num_dots >= 1) {
 		if(!ndpi_struct->disable_metadata_export) {
+		  ndpi_protocol_match_result ret_match;
+		  u_int16_t subproto;
+		  
 		  stripCertificateTrailer(buffer, buffer_len);
 		  snprintf(flow->protos.stun_ssl.ssl.server_certificate,
 			   sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer);
+		  
+#ifdef DEBUG_TLS
+		  printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate);
+#endif
+		  
+		  subproto = ndpi_match_host_subprotocol(ndpi_struct, flow,
+							 flow->protos.stun_ssl.ssl.server_certificate,
+							 strlen(flow->protos.stun_ssl.ssl.server_certificate),
+							 &ret_match,
+							 NDPI_PROTOCOL_TLS);
+
+		  if(subproto != NDPI_PROTOCOL_UNKNOWN)
+		    ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS);
 		}
 
 		return(1 /* Server Certificate */);
@@ -1111,11 +1127,16 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
 	NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate);
 #endif
 	ndpi_protocol_match_result ret_match;
-	u_int16_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
-							 strlen(certificate),
-							 &ret_match,
-							 NDPI_PROTOCOL_TLS);
+	u_int16_t subproto;
 
+	if(certificate[0] == '\0')
+	  subproto = NDPI_PROTOCOL_UNKNOWN;
+	else
+	  subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
+						 strlen(certificate),
+						 &ret_match,
+						 NDPI_PROTOCOL_TLS);
+	
 	if(subproto != NDPI_PROTOCOL_UNKNOWN) {
 	  /* If we've detected the subprotocol from client certificate but haven't had a chance
 	   * to see the server certificate yet, set up extra packet processing to wait
diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out
index 55fc0fd66..77d960896 100644
--- a/tests/result/KakaoTalk_chat.pcap.out
+++ b/tests/result/KakaoTalk_chat.pcap.out
@@ -1,12 +1,12 @@
 DNS	2	217	1
 HTTP	1	56	1
 ICMP	1	147	1
-TLS	50	9815	3
+TLS	23	2689	2
 Facebook	215	51809	12
 Google	16	1031	3
 HTTP_Proxy	26	3926	1
 Amazon	8	2071	2
-KakaoTalk	28	2864	14
+KakaoTalk	55	9990	15
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
@@ -19,7 +19,7 @@ JA3 Host Stats:
 	4	TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
 	5	TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.3/71.2 489/365 131.0/103.2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167.2/388.7 899/1336 222.0/490.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
 	6	TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2049.7/118.1 26937/448 6904.3/126.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 132.8/264.6 578/1336 133.6/439.4][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
-	7	TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91/TLS][cat: Web/5][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
+	7	TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/TLS.KakaoTalk][cat: Web/5][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
 	8	TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][cat: Web/5][17 pkts/2231 bytes <-> 9 pkts/1695 bytes][bytes ratio: 0.137 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 50/36 2833.0/4340.0 12590/13131 4126.4/4406.8][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 131.2/188.3 657/274 136.4/75.5]
 	9	TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/TLS][cat: Web/5][9 pkts/1737 bytes <-> 9 pkts/672 bytes][bytes ratio: 0.442 (Upload)][IAT c2s/s2c min/avg/max/stddev: 40/104 3455.9/3426.0 12765/12806 4427.1/4479.6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 193.0/74.7 303/98 122.5/20.9]
 	10	TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91.178/TLS.Amazon][cat: Web/5][3 pkts/290 bytes <-> 3 pkts/1600 bytes][bytes ratio: -0.693 (Download)][IAT c2s/s2c min/avg/max/stddev: 15/5 107.0/56.5 199/108 92.0/51.5][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 96.7/533.3 146/1456 35.0/652.4][TLSv1][JA3C: d9ce50c62ab1fd5932da3c6b6d406c65][Server: *.push.samsungosp.com][JA3S: 986d18bb49fadf70a73a06ead3780d55 (INSECURE)][Organization: SAMSUNG ELECTRONICS CO., LTD][Certificate SHA-1: CE:C6:14:8F:23:A0:C2:C9:C5:9A:B0:BB:EC:1D:4A:7E:33:2A:43:12][Validity: 1999-12-31 15:02:10 - 2049-12-18 15:02:10][Cipher: TLS_RSA_WITH_RC4_128_MD5]
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
index ed8dd2d34..4ee4a9589 100644
--- a/tests/result/skype.pcap.out
+++ b/tests/result/skype.pcap.out
@@ -6,9 +6,9 @@ SSDP	101	38156	6
 SkypeCall	152	10704	144
 ICMP	8	656	1
 IGMP	5	258	4
-TLS	483	206966	8
+TLS	96	8876	7
 Dropbox	38	17948	5
-Skype	1409	253031	79
+Skype	1796	451121	80
 Apple	3	168	1
 AppleiCloud	88	20520	2
 Spotify	5	430	1
@@ -19,7 +19,7 @@ JA3 Host Stats:
 	1	 192.168.1.34             	 2      
 
 
-	1	TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002.2/607.6 30166/30261 4602.0/3438.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+	1	TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][bytes ratio: -0.571 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002.2/607.6 30166/30261 4602.0/3438.8][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 227.5/777.8 1506/1506 423.1/552.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
 	2	TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][cat: VoIP/10][231 pkts/60232 bytes <-> 241 pkts/104395 bytes][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 448.5/356.9 8300/8646 1135.8/1099.3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 260.7/433.2 1506/1506 342.9/569.4][PLAIN TEXT ( 0sKWL)]
 	3	UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][79 pkts/29479 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1135.8/0.0 19950/0 4578.7/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 373.2/0.0 405/0 28.8/0.0][PLAIN TEXT (NOTIFY )]
 	4	TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 114.6/85.0 899/1012 249.9/251.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224.1/247.7 680/1494 261.3/323.6][TLSv1.2][Client: p05-keyvalueservice.icloud.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]
diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
index 6f605f75f..9292b8a56 100644
--- a/tests/result/skype_no_unknown.pcap.out
+++ b/tests/result/skype_no_unknown.pcap.out
@@ -6,9 +6,9 @@ SSDP	40	14100	3
 SkypeCall	154	10918	146
 ICMP	4	328	1
 IGMP	4	226	4
-TLS	427	189429	7
+TLS	79	7742	6
 Dropbox	16	7342	5
-Skype	837	150140	59
+Skype	1185	331827	60
 Apple	76	19581	1
 ApplePush	8	1118	1
 
@@ -17,7 +17,7 @@ JA3 Host Stats:
 	1	 192.168.1.34             	 2      
 
 
-	1	TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91/TLS][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 369.6/331.3 45360/45460 3946.4/3735.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+	1	TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype][cat: Web/5][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 369.6/331.3 45360/45460 3946.4/3735.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235.2/783.8 1506/1506 432.7/564.7][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][Server: *.gateway.messenger.live.com][JA3S: d9699a2032a6c5371343b7f7dfd94abe][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
 	2	TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][cat: VoIP/10][101 pkts/30681 bytes <-> 98 pkts/59934 bytes][bytes ratio: -0.323 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 238.2/214.7 3095/3095 411.2/400.9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 303.8/611.6 1506/1506 405.8/625.9][PLAIN TEXT (nZREBS)]
 	3	TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2272.9/322.9 55625/8255 10013.7/1510.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239.0/276.3 680/1494 273.4/358.4]
 	4	UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1254.2/0.0 19850/0 4801.4/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 372.3/0.0 405/0 28.7/0.0][PLAIN TEXT (NOTIFY )]
diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out
index b74ab4dbf..20b00d702 100644
--- a/tests/result/waze.pcap.out
+++ b/tests/result/waze.pcap.out
@@ -3,28 +3,27 @@ HTTP	65	64777	8
 NTP	2	180	1
 TLS	8	432	2
 Google	13	2142	1
-Waze	102	11962	7
+Waze	484	289335	19
 WhatsApp	15	1341	1
-Amazon	382	277373	12
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
 	1	 10.8.0.1                 	 2      
 
 
-	1	TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 287.7/329.3 3806/5018 686.4/819.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 208.8/1360.9 590/17258 183.0/3378.1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
+	1	TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][bytes ratio: -0.747 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 287.7/329.3 3806/5018 686.4/819.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 208.8/1360.9 590/17258 183.0/3378.1][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	2	TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7/HTTP][cat: Web/5][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Host: xtra1.gpsonextra.net][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 320.7/372.6 3680/3677 903.4/959.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68.9/3438.7 317/11833 58.6/3467.6][URL: xtra1.gpsonextra.net/xtra2.bin][StatusCode: 200][PLAIN TEXT (GET /xtra)]
-	3	TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.178/TLS.Amazon][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155.3/188.5 387/415 136.9/130.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115.4/3558.4 590/21942 132.3/6124.9][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	4	TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.178/TLS.Amazon][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.8/125.8 1449/293 382.9/116.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128.0/2829.5 590/11186 147.3/3901.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	5	TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.178/TLS.Amazon][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237.2/155.3 1289/609 358.5/182.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102.7/2026.6 411/8150 98.2/2611.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	6	TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 578.4/1210.2 5838/5890 1444.5/1891.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139.3/518.8 555/3660 140.6/938.6][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
-	7	TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.178/TLS.Amazon][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][bytes ratio: -0.775 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 162.5/196.0 343/348 153.1/132.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 129.2/1018.9 283/4048 86.6/1610.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	8	TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 298.1/360.9 1175/1175 372.1/354.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106.8/594.6 315/1422 85.4/584.3][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	9	TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 283.4/305.9 1174/1173 370.4/349.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 111.6/648.7 315/2165 87.6/739.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	10	TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 728.7/962.9 4966/4966 1533.8/1663.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 137.5/411.2 380/3201 123.8/874.8][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
-	11	TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.178/TLS.Amazon][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 195.8/194.7 883/537 285.6/190.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.8/383.6 380/2189 106.9/639.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
-	12	TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.178/TLS.Amazon][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 335.4/261.1 1332/645 428.4/235.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 114.5/490.3 347/2533 94.6/785.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
-	13	TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.178/TLS.Amazon][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 300.3/341.3 1397/1346 459.1/420.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131.6/485.4 379/2165 107.7/725.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	3	TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][bytes ratio: -0.933 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 155.3/188.5 387/415 136.9/130.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115.4/3558.4 590/21942 132.3/6124.9][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	4	TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][bytes ratio: -0.902 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 217.8/125.8 1449/293 382.9/116.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 128.0/2829.5 590/11186 147.3/3901.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	5	TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][bytes ratio: -0.890 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 237.2/155.3 1289/609 358.5/182.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 102.7/2026.6 411/8150 98.2/2611.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	6	TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][bytes ratio: -0.558 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 578.4/1210.2 5838/5890 1444.5/1891.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 139.3/518.8 555/3660 140.6/938.6][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
+	7	TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/TLS.Waze][cat: Web/5][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][bytes ratio: -0.775 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/1 162.5/196.0 343/348 153.1/132.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 129.2/1018.9 283/4048 86.6/1610.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	8	TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][bytes ratio: -0.672 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/5 298.1/360.9 1175/1175 372.1/354.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 106.8/594.6 315/1422 85.4/584.3][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	9	TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][bytes ratio: -0.682 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 283.4/305.9 1174/1173 370.4/349.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 111.6/648.7 315/2165 87.6/739.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	10	TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][bytes ratio: -0.499 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 728.7/962.9 4966/4966 1533.8/1663.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 137.5/411.2 380/3201 123.8/874.8][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2002-05-21 04:00:00 - 2018-08-21 04:00:00][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
+	11	TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/TLS.Waze][cat: Web/5][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 195.8/194.7 883/537 285.6/190.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.8/383.6 380/2189 106.9/639.7][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
+	12	TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/TLS.Waze][cat: Web/5][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][bytes ratio: -0.556 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 335.4/261.1 1332/645 428.4/235.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 114.5/490.3 347/2533 94.6/785.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.world.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: 30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B][Validity: 2014-11-06 16:09:20 - 2015-11-06 16:09:20][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
+	13	TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/TLS.Waze][cat: Web/5][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][bytes ratio: -0.574 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 300.3/341.3 1397/1346 459.1/420.8][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131.6/485.4 379/2165 107.7/725.4][TLSv1][JA3C: f392f120f1087cd2f8814539cf58cfa4][Server: *.waze.com][JA3S: 39f74f5618836d3c5f7dcccc9f67ba75][Organization: Google Inc][Certificate SHA-1: A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57][Validity: 2013-04-05 15:15:55 - 2016-12-31 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
 	14	TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Host: roadshields.waze.com][bytes ratio: -0.706 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/3 75.0/104.8 261/274 88.5/91.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.7/428.0 137/1678 26.0/650.9][PLAIN TEXT (GET /images/HD/CH)]
 	15	TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 91.126/TLS.Google][cat: Web/5][7 pkts/1137 bytes <-> 6 pkts/1005 bytes][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 32.2/74.5 53/188 24.3/68.9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 162.4/167.5 572/602 176.8/200.3][TLSv1][JA3C: f8f5b71e02603b283e55b50d17ede861][JA3S: 23f1f6e2f0015c166df49fdab4280370 (INSECURE)][Cipher: TLS_ECDHE_RSA_WITH_RC4_128_SHA]
 	16	TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][cat: Web/5][8 pkts/594 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com][bytes ratio: -0.130 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 22.7/28.7 134/84 49.8/39.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 74.2/110.1 194/447 45.7/137.5][PLAIN TEXT (GET /lang)]
diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out
index 2cc4d00bd..3a9053877 100644
--- a/tests/result/webex.pcap.out
+++ b/tests/result/webex.pcap.out
@@ -1,8 +1,8 @@
 HTTP	22	3182	2
-TLS	120	17043	9
+TLS	106	11841	8
 SIP	22	15356	1
 Google	17	6375	1
-Webex	1366	813205	42
+Webex	1380	818407	43
 Amazon	33	9742	2
 
 JA3 Host Stats: 
@@ -37,7 +37,7 @@ JA3 Host Stats:
 	25	TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][9 pkts/895 bytes <-> 8 pkts/4398 bytes][bytes ratio: -0.662 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/1 263.0/413.2 1025/1231 416.0/511.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 99.4/549.8 380/2581 101.1/889.3][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2015-04-10 00:00:00 - 2018-04-10 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	26	TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/10 300.8/483.5 1105/1237 425.1/496.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	27	TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][8 pkts/841 bytes <-> 7 pkts/4376 bytes][bytes ratio: -0.678 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 298.7/483.0 1096/1238 422.9/497.7][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 105.1/625.1 380/3993 105.9/1375.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
-	28	TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91/TLS][cat: Web/5][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125.4/128.6 463/394 174.1/138.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 168.7/574.4 448/2957 157.6/988.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Cisco Systems][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2010-02-19 22:39:26 - 2020-02-18 22:39:26][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
+	28	TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/TLS.Webex][cat: Web/5][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][bytes ratio: -0.546 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/9 125.4/128.6 463/394 174.1/138.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 168.7/574.4 448/2957 157.6/988.7][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: www.webex.com][JA3S: 714ac86d50db68420429ca897688f5f3 (WEAK)][Organization: Cisco Systems][Certificate SHA-1: EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD][Validity: 2010-02-19 22:39:26 - 2020-02-18 22:39:26][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	29	TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][7 pkts/461 bytes <-> 6 pkts/4231 bytes][bytes ratio: -0.803 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/14 596.2/745.0 1927/1038 776.4/424.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 65.9/705.2 117/2896 22.0/1054.1][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2023-10-30 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	30	TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/TLS.Webex][cat: VoIP/10][6 pkts/407 bytes <-> 5 pkts/4177 bytes][bytes ratio: -0.822 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 1018.2/992.3 2975/1922 1214.3/785.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 67.8/835.4 117/3961 23.2/1562.8][TLSv1][JA3C: 7cb93b2404a98399e9f84c74fef1fb8f][Server: *.webex.com][JA3S: 91589ea825a2ee41810c85fab06d2ef6 (WEAK)][Organization: Cisco Systems, Inc.][Certificate SHA-1: 61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1][Validity: 2006-11-08 00:00:00 - 2021-11-07 23:59:59][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	31	TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 91/TLS][cat: Web/5][10 pkts/1465 bytes <-> 11 pkts/1065 bytes][bytes ratio: 0.158 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 77.1/76.9 283/252 98.2/86.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 146.5/96.8 590/396 160.9/101.6][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 6dfe5eb347aa509fc445e5628d467a2b (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5]