+ u_int8_t ovpn_session_id[2][8];

+

+#define P_CONTROL_V1 (0x04 << 3)

+#define P_ACK_V1 (0x05 << 3)

+#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3)

+#define P_CONTROL_HARD_RESET_CLIENT_V3 (0x0A << 3)

+#define P_CONTROL_WKC_V1 (0x0B << 3)

+

+#define P_HMAC_NONE 0 // No HMAC

+#define P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) (P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) + 8 * (!!(hmac_size)))

+

+

+

+static int is_opcode_valid(u_int8_t opcode)

+{

+ /* Ignore:

+ * P_DATA_V1/2: they don't have any (useful) info in the header

+ * P_CONTROL_SOFT_RESET_V1: it is used to key renegotiation -> it is not at the beginning of the session

+ */

+ return opcode == P_CONTROL_HARD_RESET_CLIENT_V1 ||

+ opcode == P_CONTROL_HARD_RESET_SERVER_V1 ||

+ opcode == P_CONTROL_V1 ||

+ opcode == P_ACK_V1 ||

+ opcode == P_CONTROL_HARD_RESET_CLIENT_V2 ||

+ opcode == P_CONTROL_HARD_RESET_SERVER_V2 ||

+ opcode == P_CONTROL_HARD_RESET_CLIENT_V3 ||

+ opcode == P_CONTROL_WKC_V1;

+}

+

+static u_int32_t get_packet_id(const u_int8_t * payload, u_int8_t hms) {

+/* From wireshark */

+/* We check the leading 4 byte of a suspected hmac for 0x00 bytes,

+ if more than 1 byte out of the 4 provided contains 0x00, the

+ hmac is considered not valid, which suggests that no tls auth is used.

+ unfortunatly there is no other way to detect tls auth on the fly */

+static int check_for_valid_hmac(u_int32_t hmac)

+{

+ int c = 0;

+

+ if((hmac & 0x000000FF) == 0x00000000)

+ c++;

+ if((hmac & 0x0000FF00) == 0x00000000)

+ c++;

+ if ((hmac & 0x00FF0000) == 0x00000000)

+ c++;

+ if ((hmac & 0xFF000000) == 0x00000000)

+ c++;

+ if (c > 1)

+ return 0;

+ return 1;

+}

+

+static int8_t detect_hmac_size(const u_int8_t *payload, int payload_len) {

+ if((payload_len >= P_HARD_RESET_PACKET_ID_OFFSET(P_HMAC_160) + 4) &&

+ get_packet_id(payload, P_HMAC_160) == 1)

+ if((payload_len >= P_HARD_RESET_PACKET_ID_OFFSET(P_HMAC_128) + 4) &&

+ get_packet_id(payload, P_HMAC_128) == 1)

+

+ /* Heuristic from Wireshark, to detect no-HMAC flows (i.e. tls-crypt) */

+ if(payload_len >= 14 &&

+ !(payload[9] > 0 &&

+ check_for_valid_hmac(ntohl(*(u_int32_t*)(payload + 9)))))

+ return P_HMAC_NONE;

+

+ int dir = packet->packet_direction;

+

+ /* Detection:

+ * (1) server and client resets matching (via session id -> remote session id)

+ * (2) consecutive packets (in both directions) with the same session id

+ * (3) asymmetric traffic

+ */

+

+ if(ovpn_payload_len < 14 + 2 * (packet->tcp != NULL)) {

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+ return;

+ }

+ /* Skip openvpn TCP transport packet size */

+ if(packet->tcp != NULL)

+ ovpn_payload += 2, ovpn_payload_len -= 2;

+

+ opcode = ovpn_payload[0] & P_OPCODE_MASK;

+ if(!is_opcode_valid(opcode)) {

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+ return;

+ }

+ /* Maybe a strong assumption... */

+ if((ovpn_payload[0] & ~P_OPCODE_MASK) != 0) {

+ NDPI_LOG_DBG2(ndpi_struct, "Invalid key id\n");

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+ return;

+ }

+ if(flow->packet_direction_counter[dir] == 1 &&

+ !(opcode == P_CONTROL_HARD_RESET_CLIENT_V1 ||

+ opcode == P_CONTROL_HARD_RESET_CLIENT_V2 ||

+ opcode == P_CONTROL_HARD_RESET_SERVER_V1 ||

+ opcode == P_CONTROL_HARD_RESET_SERVER_V2 ||

+ opcode == P_CONTROL_HARD_RESET_CLIENT_V3)) {

+ NDPI_LOG_DBG2(ndpi_struct, "Invalid first packet\n");

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+ return;

+ }

+ if(flow->packet_direction_counter[dir] == 1 &&

+ packet->tcp &&

+ ntohs(*(u_int16_t *)(packet->payload)) != ovpn_payload_len) {

+ NDPI_LOG_DBG2(ndpi_struct, "Invalid tcp len on reset\n");

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+ return;

+ }

+

+ NDPI_LOG_DBG2(ndpi_struct, "[packets %d/%d][opcode: %u][len: %u]\n",

+ flow->packet_direction_counter[dir],

+ flow->packet_direction_counter[!dir],

+ opcode, ovpn_payload_len);

+

+ if(flow->packet_direction_counter[dir] > 1) {

+ if(memcmp(flow->ovpn_session_id[dir], ovpn_payload + 1, 8) != 0) {

+ NDPI_LOG_DBG2(ndpi_struct, "Invalid session id on two consecutive pkts in the same dir\n");

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+ return;

+ }

+ if(flow->packet_direction_counter[dir] >= 2 &&

+ flow->packet_direction_counter[!dir] >= 2) {

+ /* (2) */

+ NDPI_LOG_INFO(ndpi_struct,"found openvpn (session ids match on both direction)\n");

+ if(flow->packet_direction_counter[dir] >= 4 &&

+ flow->packet_direction_counter[!dir] == 0) {

+ /* (3) */

+ NDPI_LOG_INFO(ndpi_struct,"found openvpn (asymmetric)\n");

+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);

+ return;

+ } else {

+ memcpy(flow->ovpn_session_id[dir], ovpn_payload + 1, 8);

+ NDPI_LOG_DBG2(ndpi_struct, "Session key [%d]: 0x%lx\n", dir,

+ ndpi_ntohll(*(u_int64_t *)flow->ovpn_session_id[dir]));

+ }

+

+ /* (1) */

+ if(flow->packet_direction_counter[!dir] > 0 &&

+ (opcode == P_CONTROL_HARD_RESET_SERVER_V1 ||

+ opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {

+

+ hmac_size = detect_hmac_size(ovpn_payload, ovpn_payload_len);

+ NDPI_LOG_DBG2(ndpi_struct, "hmac size %d\n", hmac_size);

+ failed = 1;

+ if(hmac_size >= 0 &&

+ P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) < ovpn_payload_len) {

+ u_int16_t offset = P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size);

+

+ alen = ovpn_payload[offset];

+

+ if(alen > 0) {

+ offset += 1 + alen * 4;

+

+ if((offset + 8) <= ovpn_payload_len) {

+ session_remote = &ovpn_payload[offset];

+

+ if(memcmp(flow->ovpn_session_id[!dir], session_remote, 8) == 0) {

+ NDPI_LOG_INFO(ndpi_struct,"found openvpn\n");

+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);

+ return;

+ } else {

+ NDPI_LOG_DBG2(ndpi_struct, "key mismatch 0x%lx\n", ndpi_ntohll(*(u_int64_t *)session_remote));

+ }

+ }

+ } else {

+ failed = 0; /* Server reset without remote session id field */

+ }

+ if(failed)

+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

+

+Num dissector calls: 527 (87.83 diss/flow)

+Num dissector calls: 4626 (23.48 diss/flow)

+Num dissector calls: 136 (136.00 diss/flow)

+Num dissector calls: 4629 (149.32 diss/flow)

+Num dissector calls: 1139 (56.95 diss/flow)

+Num dissector calls: 851 (12.33 diss/flow)

+Num dissector calls: 312 (156.00 diss/flow)

+Num dissector calls: 20463 (83.52 diss/flow)

+Num dissector calls: 156 (156.00 diss/flow)

+Num dissector calls: 528 (176.00 diss/flow)

+Num dissector calls: 157 (157.00 diss/flow)

+Num dissector calls: 1011 (25.27 diss/flow)

+Num dissector calls: 45788 (60.25 diss/flow)

+Num dissector calls: 433 (144.33 diss/flow)

+Num dissector calls: 159 (10.60 diss/flow)

+Num dissector calls: 311 (155.50 diss/flow)

+Num dissector calls: 350 (6.86 diss/flow)

+Num dissector calls: 163 (163.00 diss/flow)

+Num dissector calls: 180 (180.00 diss/flow)

+Num dissector calls: 4059 (112.75 diss/flow)

+Num dissector calls: 353 (50.43 diss/flow)

+Num dissector calls: 776 (64.67 diss/flow)

+Num dissector calls: 1292 (61.52 diss/flow)

+Num dissector calls: 527 (87.83 diss/flow)

+Guessed flow protos: 0

+

+DPI Packets (UDP): 4 (4.00 pkts/flow)

+Confidence DPI : 1 (flows)

+Num dissector calls: 156 (156.00 diss/flow)

+LRU cache ookla: 0/0/0 (insert/search/found)

+LRU cache bittorrent: 0/0/0 (insert/search/found)

+LRU cache zoom: 0/0/0 (insert/search/found)

+LRU cache stun: 0/0/0 (insert/search/found)

+LRU cache tls_cert: 0/0/0 (insert/search/found)

+LRU cache mining: 0/0/0 (insert/search/found)

+LRU cache msteams: 0/0/0 (insert/search/found)

+LRU cache stun_zoom: 0/0/0 (insert/search/found)

+Automa host: 0/0 (search/found)

+Automa domain: 0/0 (search/found)

+Automa tls cert: 0/0 (search/found)

+Automa risk mask: 0/0 (search/found)

+Automa common alpns: 0/0 (search/found)

+Patricia risk mask: 0/0 (search/found)

+Patricia risk mask IPv6: 0/0 (search/found)

+Patricia risk: 0/0 (search/found)

+Patricia risk IPv6: 1/0 (search/found)

+Patricia protocols: 0/0 (search/found)

+Patricia protocols IPv6: 2/0 (search/found)

+

+OpenVPN 13 5354 1

+

+ 1 UDP [::1]:56256 <-> [::1]:1194 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: VPN/2][7 pkts/3253 bytes <-> 6 pkts/2101 bytes][Goodput ratio: 89/85][0.02 sec][bytes ratio: 0.215 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/3 11/9 4/4][Pkt Len c2s/s2c min/avg/max/stddev: 114/114 465/350 1228/1033 382/314][Plen Bins: 0,31,7,0,0,0,7,15,0,0,0,7,0,0,0,0,7,0,0,0,7,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0]

+DPI Packets (TCP): 24 (8.00 pkts/flow)

+DPI Packets (UDP): 15 (3.00 pkts/flow)

+Confidence DPI : 8 (flows)

+Num dissector calls: 1229 (153.62 diss/flow)

+LRU cache bittorrent: 0/6/0 (insert/search/found)

+Patricia risk mask: 4/0 (search/found)

+Patricia risk: 1/0 (search/found)

+Patricia protocols: 16/1 (search/found)

+OpenVPN 660 121492 8

+ 2 TCP 10.181.235.122:39772 <-> 10.251.71.30:1194 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][100 pkts/13594 bytes <-> 95 pkts/13987 bytes][Goodput ratio: 51/55][32.02 sec][bytes ratio: -0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 245/317 3842/9253 675/1172][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136/147 472/542 78/90][PLAIN TEXT (121031022835Z)][Plen Bins: 35,13,1,39,1,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 3 UDP 3.111.166.78:51146 <-> 85.134.13.165:1194 [proto: 159/OpenVPN][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 2][cat: VPN/2][51 pkts/7057 bytes <-> 49 pkts/8409 bytes][Goodput ratio: 70/76][17.72 sec][bytes ratio: -0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 343/338 4127/4124 897/934][Pkt Len c2s/s2c min/avg/max/stddev: 60/64 138/172 168/1242 35/312][PLAIN TEXT (New York1)][Plen Bins: 48,4,1,40,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]

+ 4 TCP 192.168.1.77:60140 <-> 46.101.231.218:443 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][44 pkts/7514 bytes <-> 51 pkts/7866 bytes][Goodput ratio: 61/57][64.13 sec][bytes ratio: -0.023 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1298/1400 11356/11265 2924/3289][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/154 1514/222 236/63][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 1194][PLAIN TEXT (160630002150Z)][Plen Bins: 0,39,0,4,51,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]

+ 5 UDP 192.168.43.12:41507 <-> 139.59.151.137:13680 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VPN/2][49 pkts/7860 bytes <-> 34 pkts/5699 bytes][Goodput ratio: 74/75][9.11 sec][bytes ratio: 0.159 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 224/137 3857/2389 691/464][Pkt Len c2s/s2c min/avg/max/stddev: 84/92 160/168 1214/196 192/31][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (160727093158Z)][Plen Bins: 0,40,14,8,30,2,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]

+ 6 TCP 127.0.0.1:36138 <-> 127.0.0.1:443 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: VPN/2][23 pkts/5552 bytes <-> 23 pkts/5854 bytes][Goodput ratio: 77/77][1.55 sec][bytes ratio: -0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 69/85 1049/1050 238/247][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 241/255 1514/1440 378/396][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 1194][PLAIN TEXT (Rj.shh)][Plen Bins: 0,5,45,5,0,0,0,0,0,0,0,10,0,0,0,0,0,5,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,10,0,0,0,0,0,0,0,5,0,5,0,0]

+ 7 UDP 69.197.143.179:443 -> 10.0.2.15:60201 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: VPN/2][11 pkts/6593 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][2.33 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 259/0 1305/0 430/0][Pkt Len c2s/s2c min/avg/max/stddev: 64/0 599/0 1268/0 521/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No client to server traffic / Expected on port 1194][PLAIN TEXT (RDNTzW)][Plen Bins: 27,0,9,0,0,0,9,0,0,0,0,0,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,27,9,0,0,0,0,0,0,0,0,0]

+ 8 UDP 192.168.75.18:60201 -> 166.161.181.18:443 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: VPN/2][10 pkts/3335 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][0.31 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 34/0 152/0 62/0][Pkt Len c2s/s2c min/avg/max/stddev: 56/0 334/0 1242/0 458/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 1194][Plen Bins: 60,0,0,10,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0]

+Guessed flow protos: 0

+

+DPI Packets (UDP): 2 (2.00 pkts/flow)

+Confidence DPI : 1 (flows)

+Num dissector calls: 123 (123.00 diss/flow)

+LRU cache ookla: 0/0/0 (insert/search/found)

+LRU cache bittorrent: 0/0/0 (insert/search/found)

+LRU cache zoom: 0/0/0 (insert/search/found)

+LRU cache stun: 0/0/0 (insert/search/found)

+LRU cache tls_cert: 0/0/0 (insert/search/found)

+LRU cache mining: 0/0/0 (insert/search/found)

+LRU cache msteams: 0/0/0 (insert/search/found)

+LRU cache stun_zoom: 0/0/0 (insert/search/found)

+Automa host: 0/0 (search/found)

+Automa domain: 0/0 (search/found)

+Automa tls cert: 0/0 (search/found)

+Automa risk mask: 0/0 (search/found)

+Automa common alpns: 0/0 (search/found)

+Patricia risk mask: 0/0 (search/found)

+Patricia risk mask IPv6: 0/0 (search/found)

+Patricia risk: 1/0 (search/found)

+Patricia risk IPv6: 0/0 (search/found)

+Patricia protocols: 2/1 (search/found)

+Patricia protocols IPv6: 0/0 (search/found)

+

+OpenVPN 944 303931 1

+

+ 1 UDP 3.111.166.78:51146 <-> 85.134.13.165:1194 [proto: 159/OpenVPN][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][DPI packets: 2][cat: VPN/2][594 pkts/138399 bytes <-> 350 pkts/165532 bytes][Goodput ratio: 82/91][73.25 sec][bytes ratio: -0.089 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 101/181 5093/5107 502/713][Pkt Len c2s/s2c min/avg/max/stddev: 60/64 233/473 1490/1487 273/526][PLAIN TEXT (New York1)][Plen Bins: 18,1,1,72,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]

+Guessed flow protos: 0

+

+DPI Packets (TCP): 6 (6.00 pkts/flow)

+Confidence DPI : 1 (flows)

+Num dissector calls: 130 (130.00 diss/flow)

+LRU cache ookla: 0/0/0 (insert/search/found)

+LRU cache bittorrent: 0/0/0 (insert/search/found)

+LRU cache zoom: 0/0/0 (insert/search/found)

+LRU cache stun: 0/0/0 (insert/search/found)

+LRU cache tls_cert: 0/0/0 (insert/search/found)

+LRU cache mining: 0/0/0 (insert/search/found)

+LRU cache msteams: 0/0/0 (insert/search/found)

+LRU cache stun_zoom: 0/0/0 (insert/search/found)

+Automa host: 0/0 (search/found)

+Automa domain: 0/0 (search/found)

+Automa tls cert: 0/0 (search/found)

+Automa risk mask: 0/0 (search/found)

+Automa common alpns: 0/0 (search/found)

+Patricia risk mask: 0/0 (search/found)

+Patricia risk mask IPv6: 0/0 (search/found)

+Patricia risk: 0/0 (search/found)

+Patricia risk IPv6: 0/0 (search/found)

+Patricia protocols: 2/0 (search/found)

+Patricia protocols IPv6: 0/0 (search/found)

+

+OpenVPN 195 27581 1

+

+ 1 TCP 10.181.235.122:39772 <-> 10.251.71.30:1194 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: VPN/2][100 pkts/13594 bytes <-> 95 pkts/13987 bytes][Goodput ratio: 51/55][32.02 sec][bytes ratio: -0.014 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 245/317 3842/9253 675/1172][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 136/147 472/542 78/90][PLAIN TEXT (121031022835Z)][Plen Bins: 35,13,1,39,1,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+Num dissector calls: 724 (72.40 diss/flow)

+Num dissector calls: 138 (138.00 diss/flow)

+Num dissector calls: 1181 (196.83 diss/flow)

+Num dissector calls: 196 (196.00 diss/flow)

+Num dissector calls: 5700 (53.27 diss/flow)

+Num dissector calls: 698 (139.60 diss/flow)

+Num dissector calls: 223 (22.30 diss/flow)

+Num dissector calls: 1475 (122.92 diss/flow)

+Num dissector calls: 407 (135.67 diss/flow)

+Num dissector calls: 252 (252.00 diss/flow)

+Num dissector calls: 306 (153.00 diss/flow)

+Num dissector calls: 439 (146.33 diss/flow)

+Num dissector calls: 680 (136.00 diss/flow)

+Num dissector calls: 174 (174.00 diss/flow)

+Num dissector calls: 176 (176.00 diss/flow)

+Num dissector calls: 198 (198.00 diss/flow)

+Num dissector calls: 27376 (93.43 diss/flow)

+Num dissector calls: 22753 (85.22 diss/flow)

+Num dissector calls: 173 (173.00 diss/flow)

+Num dissector calls: 390 (97.50 diss/flow)

+Num dissector calls: 1535 (29.52 diss/flow)

+Num dissector calls: 207 (103.50 diss/flow)

+Guessed flow protos: 6

+DPI Packets (UDP): 82 (1.71 pkts/flow)

+Confidence Unknown : 3 (flows)

+Confidence DPI : 45 (flows)

+Num dissector calls: 1560 (32.50 diss/flow)

+LRU cache bittorrent: 0/9/0 (insert/search/found)

+LRU cache mining: 0/3/0 (insert/search/found)

+LRU cache stun_zoom: 0/3/0 (insert/search/found)

+Patricia risk mask: 50/0 (search/found)

+Unknown 306 72708 3

+ 36 UDP 192.168.1.77:58615 <-> 192.168.1.1:53 [proto: 5.121/DNS.Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/123 bytes][Goodput ratio: 48/65][0.03 sec][Hostname/SNI: telemetry.dropbox.com][162.125.19.9][PLAIN TEXT (telemetry)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 37 UDP 192.168.1.77:49764 <-> 192.168.1.1:53 [proto: 5.26/DNS.ntop][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/73 bytes <-> 1 pkts/121 bytes][Goodput ratio: 42/65][0.05 sec][Hostname/SNI: dati.ntop.org][167.99.215.164][PLAIN TEXT (digitalocean)][Plen Bins: 50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 38 UDP 192.168.1.77:47127 <-> 192.168.1.1:53 [proto: 5.239/DNS.GoogleServices][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/85 bytes <-> 1 pkts/101 bytes][Goodput ratio: 50/58][0.00 sec][Hostname/SNI: www.googletagservices.com][192.168.1.157][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][PLAIN TEXT (googletagservices)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 39 UDP 192.168.1.77:49533 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/85 bytes <-> 1 pkts/101 bytes][Goodput ratio: 50/58][0.01 sec][Hostname/SNI: e4518.dscx.akamaiedge.net][92.122.246.223][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 40 UDP 192.168.1.77:61120 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/85 bytes <-> 1 pkts/101 bytes][Goodput ratio: 50/58][0.01 sec][Hostname/SNI: e4518.dscx.akamaiedge.net][92.122.246.223][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 41 UDP 192.168.1.77:61631 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.01 sec][Hostname/SNI: e7047.e12.akamaiedge.net][92.122.247.92][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 42 UDP 192.168.1.77:5812 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/88 bytes][Goodput ratio: 41/52][0.00 sec][Hostname/SNI: pixel.wp.com][192.168.1.157][Risk: ** Minor Issues **][Risk Score: 10][Risk Info: DNS Record with zero TTL][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 43 UDP [fe80::4dc:edec:5b0c:a661]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/111 bytes -> 0 pkts/0 bytes][Goodput ratio: 44/0][< 1 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 44 UDP 192.168.1.52:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 53/0][< 1 sec][Hostname/SNI: _raop._tcp.local][_raop._tcp.local][PLAIN TEXT (airplay)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 45 UDP 192.168.1.77:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Music/25][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][PLAIN TEXT (SpotUdp)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+ 3 UDP 192.168.1.77:23174 -> 87.11.205.195:60723 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 2][2 pkts/212 bytes -> 0 pkts/0 bytes][Goodput ratio: 60/0][1.50 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

+Num dissector calls: 1933 (56.85 diss/flow)

+Num dissector calls: 157 (157.00 diss/flow)

+Num dissector calls: 619 (68.78 diss/flow)

+Num dissector calls: 513 (128.25 diss/flow)

+Num dissector calls: 453 (15.62 diss/flow)

+Num dissector calls: 357 (10.82 diss/flow)

+Num dissector calls: 280 (4.91 diss/flow)

+Num dissector calls: 545 (12.39 diss/flow)

+Num dissector calls: 12728 (148.00 diss/flow)

+Num dissector calls: 527 (87.83 diss/flow)

+Num dissector calls: 776 (64.67 diss/flow)

+Num dissector calls: 4626 (23.48 diss/flow)