Initial tunnel decoding (GRE - Layer4 only atm) (#55)

Initial tunnel decoding (GRE - Layer4 only atm). Fixes #53
 * make finally use of the thread distribution seed
 * Handle GRE/PPP subprotocol the right way
 * Add `-t` command line / config option
 * Removed duplicated and obsolete IP{4,6}_SIZE_SMALLER_THAN_HEADER which is the same as IP{4,6}_PACKET_TOO_SHORT
 * Updated error event schema

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 12 insertions, 12 deletions

diff --git a/test/results/default/fins.pcap.out b/test/results/default/fins.pcap.out
index 3bedc49b1..285bc33c4 100644
--- a/test/results/default/fins.pcap.out
+++ b/test/results/default/fins.pcap.out
@@ -9,40 +9,40 @@
 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1233089082809435,"flow_dst_last_pkt_time":1233089082809333,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1233089082809435,"pkt":"ANADs6f8ABNyl6LUCABFAAAugi9AAEAREyIKBA5mCoKCguViJYAAGnxSgAACAAAAAAAAegEBgszMzAAC"}
 02050{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1233089082809333,"flow_src_last_pkt_time":1233089082810135,"flow_dst_last_pkt_time":1233089082809333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":613,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1233089082810135,"l3_proto":"ip4","src_ip":"10.4.14.102","dst_ip":"10.130.130.130","src_port":58722,"dst_port":9600,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":22,"avg":25.9,"max":31,"stddev":1.6,"var":2.4,"ent":5.0,"data": [22,29,26,25,25,26,27,26,26,25,25,25,26,26,25,26,25,25,26,27,31,27,25,25,26,25,25,26,25,25,29]},"pktlen": {"min":44,"avg":47.2,"max":65,"stddev":3.5,"var":12.6,"ent":5.0,"data": [46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,46,52,48,44,48,50,46,46,46,46,46,50,48,65]},"bins": {"c_to_s": [31,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [3.966703415,3.990315914,4.006726265,4.050204754,4.015212536,4.077271938,4.033793926,4.077271938,4.093682766,4.093682766,4.093682766,4.093682766,4.050204754,4.093682766,4.093682766,4.093682766,4.093682766,4.050204277,4.077271938,4.222351551,4.000422955,3.952195406,3.979268074,4.288366795,3.913608313,3.913608313,3.913608789,3.913608313,3.837309122,4.107601166,3.918294430,3.660078049]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FINS","proto_id":"362","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
 00840{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":246,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.13.0-5086-e946f49","ndpi_api_version":11807,"size_per_flow":1408,"packets-captured":246,"packets-processed":245,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":6597,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":11,"global_ts_usec":1428095655145347}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":1,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655145347,"packet_id":246,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":66,"expected":70,"global_ts_usec":1428095655145347}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":1,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655145347,"packet_id":246,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":66,"expected":70,"global_ts_usec":1428095655145347}
 00375{"packet_event_id":1,"packet_event_name":"packet","packet_id":246,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":70,"pkt_l4_len":0,"thread_ts_usec":1233089082814433,"pkt":"ABkHJDzKPKn0ISL4CABFAAA0ZANAAIAGf24KAQGtCgEBpELuJYDc78x8AAAAAIACIAAl6QAAAgQFtAEDAwIBAQQC"}
 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":246,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1428095655145347,"flow_src_last_pkt_time":1428095655145347,"flow_dst_last_pkt_time":1428095655145347,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1428095655145347,"l3_proto":"ip4","src_ip":"10.1.1.173","dst_ip":"10.1.1.164","src_port":17134,"dst_port":9600,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":246,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1428095655145347,"flow_dst_last_pkt_time":1428095655145347,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1428095655145347,"pkt":"ABkHJDzKPKn0ISL4CABFAAA0ZANAAIAGf24KAQGtCgEBpELuJYDc78x8AAAAAIACIAAl6QAAAgQFtAEDAwIBAQQC"}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":2,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655286926,"packet_id":247,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":58,"expected":62,"global_ts_usec":1428095655286926}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":2,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655286926,"packet_id":247,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":58,"expected":62,"global_ts_usec":1428095655286926}
 00369{"packet_event_id":1,"packet_event_name":"packet","packet_id":247,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":62,"pkt_l4_len":0,"thread_ts_usec":1428095655145347,"pkt":"PKn0ISL4ABkHJDzKCABFAAAsCPcAABQGhoMKAQGkCgEBrSWAQu5Ka\/mo3O\/MfWASCGAmEAAAAgQCGA=="}
 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":247,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1428095655145347,"flow_dst_last_pkt_time":1428095655286926,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":24,"thread_ts_usec":1428095655286926,"pkt":"PKn0ISL4ABkHJDzKCABFAAAsCPcAABQGhoMKAQGkCgEBrSWAQu5Ka\/mo3O\/MfWASCGAmEAAAAgQCGA=="}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":3,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655287055,"packet_id":248,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655287055}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":3,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655287055,"packet_id":248,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655287055}
 00360{"packet_event_id":1,"packet_event_name":"packet","packet_id":248,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":58,"pkt_l4_len":0,"thread_ts_usec":1428095655286926,"pkt":"ABkHJDzKPKn0ISL4CABFAAAoZARAAIAGf3kKAQGtCgEBpELuJYDc78x9Smv5qVAQ\/3BDIAAA"}
 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":248,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1428095655287055,"flow_dst_last_pkt_time":1428095655286926,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":20,"thread_ts_usec":1428095655287055,"pkt":"ABkHJDzKPKn0ISL4CABFAAAoZARAAIAGf3kKAQGtCgEBpELuJYDc78x9Smv5qVAQ\/3BDIAAA"}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":4,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655289816,"packet_id":249,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":74,"expected":78,"global_ts_usec":1428095655289816}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":4,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655289816,"packet_id":249,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":74,"expected":78,"global_ts_usec":1428095655289816}
 00388{"packet_event_id":1,"packet_event_name":"packet","packet_id":249,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":78,"pkt_l4_len":0,"thread_ts_usec":1428095655287055,"pkt":"ABkHJDzKPKn0ISL4CABFAAA8ZAVAAIAGf2QKAQGtCgEBpELuJYDc78x9Smv5qVAY\/3CuWwAARklOUwAAAAwAAAAAAAAAAAAAAAA="}
 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":249,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":1428095655289816,"flow_dst_last_pkt_time":1428095655286926,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1428095655289816,"pkt":"ABkHJDzKPKn0ISL4CABFAAA8ZAVAAIAGf2QKAQGtCgEBpELuJYDc78x9Smv5qVAY\/3CuWwAARklOUwAAAAwAAAAAAAAAAAAAAAA="}
 00922{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":249,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1428095655145347,"flow_src_last_pkt_time":1428095655289816,"flow_dst_last_pkt_time":1428095655286926,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":20,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1428095655289816,"l3_proto":"ip4","src_ip":"10.1.1.173","dst_ip":"10.1.1.164","src_port":17134,"dst_port":9600,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FINS","proto_id":"362","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":5,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655432184,"packet_id":250,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":78,"expected":82,"global_ts_usec":1428095655432184}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":5,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655432184,"packet_id":250,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":78,"expected":82,"global_ts_usec":1428095655432184}
 00393{"packet_event_id":1,"packet_event_name":"packet","packet_id":250,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":82,"pkt_l4_len":0,"thread_ts_usec":1428095655289816,"pkt":"PKn0ISL4ABkHJDzKCABFAABACPgAABQGhm4KAQGkCgEBrSWAQu5Ka\/mp3O\/MkVAYCEyjoAAARklOUwAAABAAAAABAAAAAAAAAPsAAADI"}
 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":250,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":1428095655289816,"flow_dst_last_pkt_time":1428095655432184,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":44,"thread_ts_usec":1428095655432184,"pkt":"PKn0ISL4ABkHJDzKCABFAABACPgAABQGhm4KAQGkCgEBrSWAQu5Ka\/mp3O\/MkVAYCEyjoAAARklOUwAAABAAAAABAAAAAAAAAPsAAADI"}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":6,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655432629,"packet_id":251,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":83,"expected":87,"global_ts_usec":1428095655432629}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":6,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655432629,"packet_id":251,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":83,"expected":87,"global_ts_usec":1428095655432629}
 00400{"packet_event_id":1,"packet_event_name":"packet","packet_id":251,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":87,"pkt_l4_len":0,"thread_ts_usec":1428095655432184,"pkt":"ABkHJDzKPKn0ISL4CABFAABFZAZAAIAGf1oKAQGtCgEBpELuJYDc78yRSmv5wVAY\/1hwKwAARklOUwAAABUAAAACAAAAAIAAAgDIAAAA7wUFAQA="}
-00340{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":7,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655590052,"packet_id":252,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":176,"expected":180,"global_ts_usec":1428095655590052}
+00340{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":7,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655590052,"packet_id":252,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":176,"expected":180,"global_ts_usec":1428095655590052}
 00528{"packet_event_id":1,"packet_event_name":"packet","packet_id":252,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":176,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":180,"pkt_l4_len":0,"thread_ts_usec":1428095655432629,"pkt":"PKn0ISL4ABkHJDzKCABFAACiCPkAABQGhgsKAQGkCgEBrSWAQu5Ka\/nB3O\/MrlAYCC+h\/QAARklOUwAAAHIAAAACAAAAAMAAAgD77wDIAAUFAQAAQ1AxTC1FTDIwRFItRAAAACAgICAwMS4wMAAAAAAAMDEuMDYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAABAAMAChcqEAgAAAAAAAA="}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":8,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655590846,"packet_id":253,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655590846}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":8,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655590846,"packet_id":253,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655590846}
 00360{"packet_event_id":1,"packet_event_name":"packet","packet_id":253,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":58,"pkt_l4_len":0,"thread_ts_usec":1428095655590052,"pkt":"ABkHJDzKPKn0ISL4CABFAAAoZApAAIAGf3MKAQGtCgEBpELuJYDc78yuSmv6O1AR\/t5C7gAA"}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":9,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655734575,"packet_id":254,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655734575}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":9,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655734575,"packet_id":254,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655734575}
 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":254,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":58,"pkt_l4_len":0,"thread_ts_usec":1428095655590846,"pkt":"PKn0ISL4ABkHJDzKCABFAAAoCPoAABQGhoQKAQGkCgEBrSWAQu5Ka\/o73O\/Mr1ARCC45ngAA"}
-00339{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":10,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655734613,"packet_id":255,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655734613}
+00339{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":10,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095655734613,"packet_id":255,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":54,"expected":58,"global_ts_usec":1428095655734613}
 00360{"packet_event_id":1,"packet_event_name":"packet","packet_id":255,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":58,"pkt_l4_len":0,"thread_ts_usec":1428095655734575,"pkt":"ABkHJDzKPKn0ISL4CABFAAAoZA1AAIAGf3AKAQGtCgEBpELuJYDc78yvSmv6PFAQ\/t5C7QAA"}
 00971{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":245,"flow_dst_packets_processed":0,"flow_first_seen":1233089082809333,"flow_src_last_pkt_time":1233089082814433,"flow_dst_last_pkt_time":1233089082809333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":6597,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1428095655734613,"l3_proto":"ip4","src_ip":"10.4.14.102","dst_ip":"10.130.130.130","src_port":58722,"dst_port":9600,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"FINS","proto_id":"362","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-00338{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":1,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095675892372,"packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":55,"expected":59,"global_ts_usec":1428095675892372}
+00338{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":1,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095675892372,"packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":55,"expected":59,"global_ts_usec":1428095675892372}
 00363{"packet_event_id":1,"packet_event_name":"packet","packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":55,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":59,"pkt_l4_len":0,"thread_ts_usec":1428095655734613,"pkt":"ABkHJDzKPKn0ISL4CABFAAApZUwAAIARviUKAQGtCgEBpNZHJYAAFWRWgAACAAAAAGMA7wUBAA=="}
 00770{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1428095675892372,"flow_src_last_pkt_time":1428095675892372,"flow_dst_last_pkt_time":1428095675892372,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":13,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1428095675892372,"l3_proto":"ip4","src_ip":"10.1.1.173","dst_ip":"10.1.1.164","src_port":54855,"dst_port":9600,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5}
 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1428095675892372,"flow_dst_last_pkt_time":1428095675892372,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":55,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":59,"pkt_l4_len":21,"thread_ts_usec":1428095675892372,"pkt":"ABkHJDzKPKn0ISL4CABFAAApZUwAAIARviUKAQGtCgEBpNZHJYAAFWRWgAACAAAAAGMA7wUBAA=="}
 00922{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1428095675892372,"flow_src_last_pkt_time":1428095675892372,"flow_dst_last_pkt_time":1428095675892372,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":13,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1428095675892372,"l3_proto":"ip4","src_ip":"10.1.1.173","dst_ip":"10.1.1.164","src_port":54855,"dst_port":9600,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"FINS","proto_id":"362","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}
-00340{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":2,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095676054158,"packet_id":257,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":148,"expected":152,"global_ts_usec":1428095676054158}
+00340{"error_event_id":14,"error_event_name":"Captured packet size is smaller than expected packet size","threshold_n":2,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1428095676054158,"packet_id":257,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","size":148,"expected":152,"global_ts_usec":1428095676054158}
 00489{"packet_event_id":1,"packet_event_name":"packet","packet_id":257,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","pkt_datalink":1,"pkt_caplen":148,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":152,"pkt_l4_len":0,"thread_ts_usec":1428095675892372,"pkt":"PKn0ISL4ABkHJDzKCABFAACGCP0AABQRhhgKAQGkCgEBrSWA1kcAcoFswAACAGMAAMgA7wUBAABDUDFMLUVMMjBEUi1EAAAAICAgIDAxLjAwAAAAAAAwMS4wNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAEAAwAKFyoQCAAAAAAAAA=="}
 00653{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1428095675892372,"flow_dst_last_pkt_time":1428095676054158,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":148,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":114,"thread_ts_usec":1428095676054158,"pkt":"PKn0ISL4ABkHJDzKCABFAACGCP0AABQRhhgKAQGkCgEBrSWA1kcAcoFswAACAGMAAMgA7wUBAABDUDFMLUVMMjBEUi1EAAAAICAgIDAxLjAwAAAAAAAwMS4wNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAEAAwAKFyoQCAAAAAAAAA=="}
 00964{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":257,"source":"cfgs\/default\/pcap\/fins.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1428095655145347,"flow_src_last_pkt_time":1428095655734613,"flow_dst_last_pkt_time":1428095655734575,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":29,"flow_dst_max_l4_payload_len":122,"flow_src_tot_l4_payload_len":49,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1428095676054158,"l3_proto":"ip4","src_ip":"10.1.1.173","dst_ip":"10.1.1.164","src_port":17134,"dst_port":9600,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"FINS","proto_id":"362","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}}