aboutsummaryrefslogtreecommitdiff
path: root/test/results/flow-captured
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2024-09-09 09:29:08 +0200
committerToni Uhlig <matzeton@googlemail.com>2024-09-09 09:29:08 +0200
commitaef9d629f01b66a5e1985f265e9c74fd40542fe1 (patch)
tree7ef5f363f149395ee4fe40a893894361da42a846 /test/results/flow-captured
parentf97b3880b6d6e577bdd197faab25baf139dd9254 (diff)
bump libnDPI to 92507c014626bc542f2ab11c729742802c0bc345
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'test/results/flow-captured')
-rw-r--r--test/results/flow-captured/caches_cfg/teams.pcap.out2
-rw-r--r--test/results/flow-captured/caches_global/teams.pcap.out2
-rw-r--r--test/results/flow-captured/caches_global/zoom_p2p.pcapng.out5
-rw-r--r--test/results/flow-captured/default/1kxun.pcap.out3
-rw-r--r--test/results/flow-captured/default/Oscar.pcap.out2
-rw-r--r--test/results/flow-captured/default/alexa-app.pcapng.out13
-rw-r--r--test/results/flow-captured/default/android.pcap.out2
-rw-r--r--test/results/flow-captured/default/atg.pcap.out1
-rw-r--r--test/results/flow-captured/default/bfcp.pcapng.out (renamed from test/results/flow-captured/default/h323_tcp.pcap.out)0
-rw-r--r--test/results/flow-captured/default/bt-http.pcapng.out1
-rw-r--r--test/results/flow-captured/default/cnp_ip.pcapng.out (renamed from test/results/flow-captured/dns_subclassification_disable/dns.pcap.out)0
-rw-r--r--test/results/flow-captured/default/codm.pcap.out0
-rw-r--r--test/results/flow-captured/default/conncheck.pcap.out0
-rw-r--r--test/results/flow-captured/default/dtls.pcap.out1
-rw-r--r--test/results/flow-captured/default/egd.pcapng.out0
-rw-r--r--test/results/flow-captured/default/false_positives.pcapng.out1
-rw-r--r--test/results/flow-captured/default/fuzz-2006-06-26-2594.pcap.out1
-rw-r--r--test/results/flow-captured/default/gnutella.pcap.out4
-rw-r--r--test/results/flow-captured/default/googledns_android10.pcap.out1
-rw-r--r--test/results/flow-captured/default/h323.pcap.out3
-rw-r--r--test/results/flow-captured/default/haproxy.pcap.out1
-rw-r--r--test/results/flow-captured/default/heuristic_tcp_ack_payload.pcap.out8
-rw-r--r--test/results/flow-captured/default/hls.pcapng.out1
-rw-r--r--test/results/flow-captured/default/http-proxy.pcapng.out1
-rw-r--r--test/results/flow-captured/default/http_connect.pcap.out1
-rw-r--r--test/results/flow-captured/default/instagram.pcap.out9
-rw-r--r--test/results/flow-captured/default/iqiyi.pcap.out0
-rw-r--r--test/results/flow-captured/default/jabber.pcap.out1
-rw-r--r--test/results/flow-captured/default/jrmi.pcap.out0
-rw-r--r--test/results/flow-captured/default/kafka.pcapng.out7
-rw-r--r--test/results/flow-captured/default/knxip.pcapng.out1
-rw-r--r--test/results/flow-captured/default/kontiki.pcap.out4
-rw-r--r--test/results/flow-captured/default/ldp.pcap.out1
-rw-r--r--test/results/flow-captured/default/log4j-webapp-exploit.pcap.out2
-rw-r--r--test/results/flow-captured/default/lustre.pcapng.out1
-rw-r--r--test/results/flow-captured/default/malware.pcap.out1
-rw-r--r--test/results/flow-captured/default/nano.pcapng.out0
-rw-r--r--test/results/flow-captured/default/netbios.pcap.out1
-rw-r--r--test/results/flow-captured/default/openvpn.pcap.out2
-rw-r--r--test/results/flow-captured/default/openwire.pcapng.out0
-rw-r--r--test/results/flow-captured/default/ossfuzz_seed_fake_traces_1.pcapng.out1
-rw-r--r--test/results/flow-captured/default/pgsql2.pcapng.out1
-rw-r--r--test/results/flow-captured/default/pps.pcap.out126
-rw-r--r--test/results/flow-captured/default/quickplay.pcap.out1
-rw-r--r--test/results/flow-captured/default/raknet.pcap.out3
-rw-r--r--test/results/flow-captured/default/ripe_atlas.pcap.out0
-rw-r--r--test/results/flow-captured/default/sip.pcap.out1
-rw-r--r--test/results/flow-captured/default/ssh.pcap.out1
-rw-r--r--test/results/flow-captured/default/ssh_unidirectional.pcap.out0
-rw-r--r--test/results/flow-captured/default/stun.pcap.out1
-rw-r--r--test/results/flow-captured/default/stun_google_meet.pcapng.out1
-rw-r--r--test/results/flow-captured/default/stun_signal.pcapng.out3
-rw-r--r--test/results/flow-captured/default/stun_wa_call.pcapng.out1
-rw-r--r--test/results/flow-captured/default/synscan.pcap.out4
-rw-r--r--test/results/flow-captured/default/teams.pcap.out2
-rw-r--r--test/results/flow-captured/default/telegram.pcap.out2
-rw-r--r--test/results/flow-captured/default/telegram_videocall.pcapng.out13
-rw-r--r--test/results/flow-captured/default/teso.pcapng.out0
-rw-r--r--test/results/flow-captured/default/trdp.pcapng.out0
-rw-r--r--test/results/flow-captured/default/viber.pcap.out5
-rw-r--r--test/results/flow-captured/default/wa_video.pcap.out7
-rw-r--r--test/results/flow-captured/default/waze.pcap.out7
-rw-r--r--test/results/flow-captured/default/webdav.pcap.out7
-rw-r--r--test/results/flow-captured/default/whatsapp_login_call.pcap.out14
-rw-r--r--test/results/flow-captured/default/windscribe.pcapng.out1
-rw-r--r--test/results/flow-captured/default/xiaomi.pcap.out5
-rw-r--r--test/results/flow-captured/default/zoom_p2p.pcapng.out5
-rw-r--r--test/results/flow-captured/default/zug.pcap.out1
-rw-r--r--test/results/flow-captured/enable_payload_stat/1kxun.pcap.out3
-rw-r--r--test/results/flow-captured/fpc_disabled/teams.pcap.out (renamed from test/results/flow-captured/stun_mapped_address_disabled/teams.pcap.out)2
-rw-r--r--test/results/flow-captured/ip_lists_disable/1kxun.pcap.out3
-rw-r--r--test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out19
-rw-r--r--test/results/flow-captured/stun_extra_dissection/lru_ipv6_caches.pcapng.out4
-rw-r--r--test/results/flow-captured/stun_extra_dissection/stun_dtls_rtp.pcapng.out1
-rw-r--r--test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out13
-rw-r--r--test/results/flow-captured/stun_only_peer_address_enabled/telegram_videocall.pcapng.out17
-rw-r--r--test/results/flow-captured/subclassification_disable/anydesk.pcapng.out5
-rw-r--r--test/results/flow-captured/subclassification_disable/dns.pcap.out0
-rw-r--r--test/results/flow-captured/subclassification_disable/http.pcapng.out0
-rw-r--r--test/results/flow-captured/subclassification_disable/quic-mvfst-27.pcapng.out0
-rw-r--r--test/results/flow-captured/subclassification_disable/tls_ech.pcapng.out0
-rw-r--r--test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out6
-rw-r--r--test/results/flow-captured/zoom_extra_dissection/zoom2.pcap.out3
-rw-r--r--test/results/flow-captured/zoom_extra_dissection/zoom_p2p.pcapng.out5
84 files changed, 209 insertions, 169 deletions
diff --git a/test/results/flow-captured/caches_cfg/teams.pcap.out b/test/results/flow-captured/caches_cfg/teams.pcap.out
index e2f4067c2..f9a450ce5 100644
--- a/test/results/flow-captured/caches_cfg/teams.pcap.out
+++ b/test/results/flow-captured/caches_cfg/teams.pcap.out
@@ -4,8 +4,6 @@ Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
-Flow 76 risky: udp 192.168.1.6:50016 -> 192.168.0.4:50005
-Flow 77 risky: udp 192.168.1.6:50036 -> 192.168.0.4:50020
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
diff --git a/test/results/flow-captured/caches_global/teams.pcap.out b/test/results/flow-captured/caches_global/teams.pcap.out
index e2f4067c2..f9a450ce5 100644
--- a/test/results/flow-captured/caches_global/teams.pcap.out
+++ b/test/results/flow-captured/caches_global/teams.pcap.out
@@ -4,8 +4,6 @@ Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
-Flow 76 risky: udp 192.168.1.6:50016 -> 192.168.0.4:50005
-Flow 77 risky: udp 192.168.1.6:50036 -> 192.168.0.4:50020
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
diff --git a/test/results/flow-captured/caches_global/zoom_p2p.pcapng.out b/test/results/flow-captured/caches_global/zoom_p2p.pcapng.out
index e69de29bb..6b18616d3 100644
--- a/test/results/flow-captured/caches_global/zoom_p2p.pcapng.out
+++ b/test/results/flow-captured/caches_global/zoom_p2p.pcapng.out
@@ -0,0 +1,5 @@
+Flow 5 risky: icmp 206.247.87.213 -> 192.168.12.156
+Flow 6 risky: udp 192.168.12.156:38453 -> 192.168.1.226:41036
+Flow 10 risky: icmp 206.247.10.253 -> 192.168.12.156
+Flow 12 risky: udp 192.168.12.156:42208 -> 10.78.14.178:47312
+Flow 13 risky: udp 192.168.12.156:49579 -> 10.78.14.178:49586
diff --git a/test/results/flow-captured/default/1kxun.pcap.out b/test/results/flow-captured/default/1kxun.pcap.out
index e818177e6..e68307bbc 100644
--- a/test/results/flow-captured/default/1kxun.pcap.out
+++ b/test/results/flow-captured/default/1kxun.pcap.out
@@ -43,6 +43,7 @@ Flow 158 midstream: tcp 192.168.2.126:49372 -> 14.136.136.108:80
Flow 150 midstream: tcp 192.168.2.126:45416 -> 161.117.13.29:80
Flow 147 midstream: tcp 192.168.2.126:45388 -> 161.117.13.29:80
Flow 148 midstream: tcp 192.168.2.126:45398 -> 161.117.13.29:80
+Flow 163 risky: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 163 midstream: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 178 risky: tcp 192.168.2.126:56826 -> 8.209.97.107:80
Flow 178 midstream: tcp 192.168.2.126:56826 -> 8.209.97.107:80
@@ -72,9 +73,11 @@ Flow 165 midstream: tcp 192.168.2.126:50148 -> 161.117.13.29:80
Flow 166 midstream: tcp 192.168.2.126:50164 -> 161.117.13.29:80
Flow 167 midstream: tcp 192.168.2.126:50166 -> 161.117.13.29:80
Flow 168 midstream: tcp 192.168.2.126:50176 -> 161.117.13.29:80
+Flow 153 risky: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 153 midstream: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 197 midstream: tcp 192.168.2.126:51686 -> 18.64.79.64:80
Flow 156 midstream: tcp 192.168.2.126:36732 -> 142.250.186.174:80
+Flow 194 risky: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 194 midstream: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 189 midstream: tcp 192.168.2.126:42554 -> 35.156.44.13:80
Flow 190 risky: tcp 192.168.2.126:42566 -> 35.156.44.13:80
diff --git a/test/results/flow-captured/default/Oscar.pcap.out b/test/results/flow-captured/default/Oscar.pcap.out
index e69de29bb..3bc3973f8 100644
--- a/test/results/flow-captured/default/Oscar.pcap.out
+++ b/test/results/flow-captured/default/Oscar.pcap.out
@@ -0,0 +1,2 @@
+Flow 1 guessed: tcp 10.30.29.3:63357 -> 178.237.24.249:443
+Flow 1 not-detected: tcp 10.30.29.3:63357 -> 178.237.24.249:443
diff --git a/test/results/flow-captured/default/alexa-app.pcapng.out b/test/results/flow-captured/default/alexa-app.pcapng.out
index e0548740c..b3d3ac84c 100644
--- a/test/results/flow-captured/default/alexa-app.pcapng.out
+++ b/test/results/flow-captured/default/alexa-app.pcapng.out
@@ -1,11 +1,15 @@
Flow 28 risky: tcp 172.16.42.216:45661 -> 52.94.232.134:443
+Flow 14 risky: icmp 172.16.42.1 -> 172.16.42.216
Flow 80 risky: tcp 172.16.42.216:45703 -> 52.94.232.134:443
Flow 87 risky: tcp 172.16.42.216:45710 -> 52.94.232.134:443
Flow 89 risky: tcp 172.16.42.216:45712 -> 52.94.232.134:443
Flow 107 risky: tcp 172.16.42.216:40856 -> 54.239.29.253:443
Flow 105 risky: tcp 172.16.42.216:40854 -> 54.239.29.253:443
Flow 88 risky: tcp 172.16.42.216:45711 -> 52.94.232.134:443
+Flow 120 risky: tcp 172.16.42.216:51986 -> 52.84.63.56:80
Flow 125 risky: tcp 172.16.42.216:40871 -> 54.239.29.253:443
+Flow 129 risky: tcp 172.16.42.216:51995 -> 52.84.63.56:80
+Flow 126 risky: tcp 172.16.42.216:51992 -> 52.84.63.56:80
Flow 45 risky: tcp 172.16.42.216:49589 -> 52.94.232.134:80
Flow 29 risky: tcp 172.16.42.216:45662 -> 52.94.232.134:443
Flow 30 risky: tcp 172.16.42.216:45663 -> 52.94.232.134:443
@@ -26,6 +30,15 @@ Flow 72 risky: tcp 172.16.42.216:45697 -> 52.94.232.134:443
Flow 74 risky: tcp 172.16.42.216:45698 -> 52.94.232.134:443
Flow 157 risky: tcp 172.16.42.216:38483 -> 52.85.209.143:443
Flow 142 risky: tcp 172.16.42.216:50799 -> 54.239.28.178:443
+Flow 119 risky: tcp 172.16.42.216:51985 -> 52.84.63.56:80
+Flow 121 risky: tcp 172.16.42.216:51987 -> 52.84.63.56:80
+Flow 122 risky: tcp 172.16.42.216:51988 -> 52.84.63.56:80
+Flow 123 risky: tcp 172.16.42.216:51989 -> 52.84.63.56:80
+Flow 124 risky: tcp 172.16.42.216:51990 -> 52.84.63.56:80
+Flow 127 risky: tcp 172.16.42.216:51993 -> 52.84.63.56:80
+Flow 128 risky: tcp 172.16.42.216:51994 -> 52.84.63.56:80
+Flow 130 risky: tcp 172.16.42.216:51996 -> 52.84.63.56:80
+Flow 131 risky: tcp 172.16.42.216:51997 -> 52.84.63.56:80
Flow 93 risky: tcp 172.16.42.216:49630 -> 52.94.232.134:80
Flow 117 risky: tcp 172.16.42.216:40864 -> 54.239.29.253:443
Flow 132 risky: tcp 172.16.42.216:40878 -> 54.239.29.253:443
diff --git a/test/results/flow-captured/default/android.pcap.out b/test/results/flow-captured/default/android.pcap.out
index c16a35e24..ea5892663 100644
--- a/test/results/flow-captured/default/android.pcap.out
+++ b/test/results/flow-captured/default/android.pcap.out
@@ -3,3 +3,5 @@ Flow 3 midstream: tcp 17.248.176.75:443 -> 192.168.2.17:50580
Flow 2 risky: tcp 17.248.176.75:443 -> 192.168.2.17:50584
Flow 2 midstream: tcp 17.248.176.75:443 -> 192.168.2.17:50584
Flow 5 midstream: tcp 17.248.185.10:443 -> 192.168.2.17:50702
+Flow 39 risky: tcp 192.168.2.16:36834 -> 173.194.79.114:80
+Flow 52 risky: tcp 192.168.2.16:36848 -> 173.194.79.114:80
diff --git a/test/results/flow-captured/default/atg.pcap.out b/test/results/flow-captured/default/atg.pcap.out
new file mode 100644
index 000000000..39087a13a
--- /dev/null
+++ b/test/results/flow-captured/default/atg.pcap.out
@@ -0,0 +1 @@
+Flow 1 midstream: tcp 192.168.0.105:3134 -> 20.108.25.119:10001
diff --git a/test/results/flow-captured/default/h323_tcp.pcap.out b/test/results/flow-captured/default/bfcp.pcapng.out
index e69de29bb..e69de29bb 100644
--- a/test/results/flow-captured/default/h323_tcp.pcap.out
+++ b/test/results/flow-captured/default/bfcp.pcapng.out
diff --git a/test/results/flow-captured/default/bt-http.pcapng.out b/test/results/flow-captured/default/bt-http.pcapng.out
index e69de29bb..8fa10a571 100644
--- a/test/results/flow-captured/default/bt-http.pcapng.out
+++ b/test/results/flow-captured/default/bt-http.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 192.168.1.128:46882 -> 176.31.225.118:80
diff --git a/test/results/flow-captured/dns_subclassification_disable/dns.pcap.out b/test/results/flow-captured/default/cnp_ip.pcapng.out
index e69de29bb..e69de29bb 100644
--- a/test/results/flow-captured/dns_subclassification_disable/dns.pcap.out
+++ b/test/results/flow-captured/default/cnp_ip.pcapng.out
diff --git a/test/results/flow-captured/default/codm.pcap.out b/test/results/flow-captured/default/codm.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/codm.pcap.out
diff --git a/test/results/flow-captured/default/conncheck.pcap.out b/test/results/flow-captured/default/conncheck.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/conncheck.pcap.out
diff --git a/test/results/flow-captured/default/dtls.pcap.out b/test/results/flow-captured/default/dtls.pcap.out
index e69de29bb..bed9794a6 100644
--- a/test/results/flow-captured/default/dtls.pcap.out
+++ b/test/results/flow-captured/default/dtls.pcap.out
@@ -0,0 +1 @@
+Flow 2 risky: udp 127.0.0.1:40983 -> 127.0.0.1:11111
diff --git a/test/results/flow-captured/default/egd.pcapng.out b/test/results/flow-captured/default/egd.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/egd.pcapng.out
diff --git a/test/results/flow-captured/default/false_positives.pcapng.out b/test/results/flow-captured/default/false_positives.pcapng.out
new file mode 100644
index 000000000..34f891ca0
--- /dev/null
+++ b/test/results/flow-captured/default/false_positives.pcapng.out
@@ -0,0 +1 @@
+Flow 2 not-detected: udp 192.168.12.156:37649 -> 57.128.172.97:9981
diff --git a/test/results/flow-captured/default/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-captured/default/fuzz-2006-06-26-2594.pcap.out
index e8cdea6f4..e6f3619fb 100644
--- a/test/results/flow-captured/default/fuzz-2006-06-26-2594.pcap.out
+++ b/test/results/flow-captured/default/fuzz-2006-06-26-2594.pcap.out
@@ -60,7 +60,6 @@ Flow 40 not-detected: tcp 37.115.0.253:58999 -> 192.168.1.2:2721
Flow 37 not-detected: 170 170.170.170.170 -> 170.170.170.170
Flow 30 not-detected: tcp 147.234.1.249:2069 -> 192.168.1.2:2720
Flow 30 midstream: tcp 147.234.1.249:2069 -> 192.168.1.2:2720
-Flow 32 midstream: tcp 147.234.1.253:21 -> 192.168.1.2:2732
Flow 237 not-detected: udp 81.168.1.2:30000 -> 212.242.33.36:40392
Flow 28 not-detected: tcp 147.234.1.253:120 -> 192.168.1.2:2720
Flow 28 midstream: tcp 147.234.1.253:120 -> 192.168.1.2:2720
diff --git a/test/results/flow-captured/default/gnutella.pcap.out b/test/results/flow-captured/default/gnutella.pcap.out
index f369671cf..56fadb54c 100644
--- a/test/results/flow-captured/default/gnutella.pcap.out
+++ b/test/results/flow-captured/default/gnutella.pcap.out
@@ -164,6 +164,7 @@ Flow 319 risky: udp 10.0.2.15:28681 -> 164.132.10.25:55302
Flow 330 risky: udp 10.0.2.15:28681 -> 82.64.44.11:1352
Flow 326 risky: udp 10.0.2.15:28681 -> 100.1.231.138:56558
Flow 336 risky: udp 10.0.2.15:28681 -> 80.7.252.192:6888
+Flow 349 risky: icmp 84.197.97.94 -> 10.0.2.15
Flow 338 risky: udp 10.0.2.15:28681 -> 221.198.205.196:20778
Flow 340 risky: udp 10.0.2.15:28681 -> 38.142.119.234:49732
Flow 350 risky: udp 10.0.2.15:28681 -> 99.250.253.99:11819
@@ -316,6 +317,7 @@ Flow 491 risky: udp 10.0.2.15:28681 -> 36.233.42.210:5512
Flow 492 risky: udp 10.0.2.15:28681 -> 172.94.41.71:6346
Flow 90 not-detected: tcp 10.0.2.15:50245 -> 73.62.225.181:46843
Flow 300 not-detected: udp 10.0.2.15:28681 -> 104.238.172.250:23548
+Flow 745 risky: icmp 164.132.10.25 -> 10.0.2.15
Flow 509 risky: udp 10.0.2.15:28681 -> 92.142.109.190:41370
Flow 511 risky: udp 10.0.2.15:28681 -> 68.47.223.27:6346
Flow 496 risky: udp 10.0.2.15:28681 -> 218.173.230.98:19004
@@ -651,6 +653,7 @@ Flow 541 not-detected: udp 10.0.2.15:28681 -> 114.27.24.95:11141
Flow 547 not-detected: udp 10.0.2.15:28681 -> 213.229.111.224:43316
Flow 530 not-detected: udp 10.0.2.15:28681 -> 118.167.248.220:59304
Flow 540 not-detected: udp 10.0.2.15:28681 -> 36.236.203.37:52131
+Flow 783 risky: icmp 65.182.231.232 -> 10.0.2.15
Flow 754 not-detected: udp 10.0.2.15:28681 -> 84.125.218.84:17561
Flow 573 not-detected: udp 10.0.2.15:28681 -> 71.239.173.18:23327
Flow 383 not-detected: udp 10.0.2.15:28681 -> 84.71.243.60:34498
@@ -663,6 +666,7 @@ Flow 789 risky: udp 10.0.2.15:28681 -> 42.98.115.128:23458
Flow 790 risky: udp 10.0.2.15:28681 -> 218.164.39.233:20855
Flow 785 risky: udp 10.0.2.15:28681 -> 176.134.139.39:6346
Flow 791 risky: udp 10.0.2.15:28681 -> 219.85.11.85:10722
+Flow 797 risky: icmp 154.3.42.209 -> 10.0.2.15
Flow 52 not-detected: tcp 10.0.2.15:50212 -> 95.17.124.40:6776
Flow 777 not-detected: udp 10.0.2.15:28681 -> 124.244.211.43:23459
Flow 245 not-detected: tcp 10.0.2.15:50289 -> 74.195.236.249:18557
diff --git a/test/results/flow-captured/default/googledns_android10.pcap.out b/test/results/flow-captured/default/googledns_android10.pcap.out
index 2551e4bf2..6814757f0 100644
--- a/test/results/flow-captured/default/googledns_android10.pcap.out
+++ b/test/results/flow-captured/default/googledns_android10.pcap.out
@@ -1,3 +1,4 @@
Flow 4 risky: tcp 192.168.1.159:48048 -> 8.8.4.4:853
+Flow 5 risky: icmp 192.168.1.159 -> 8.8.8.8
Flow 7 risky: tcp 192.168.1.159:48098 -> 8.8.4.4:853
Flow 8 risky: tcp 192.168.1.159:48210 -> 8.8.4.4:853
diff --git a/test/results/flow-captured/default/h323.pcap.out b/test/results/flow-captured/default/h323.pcap.out
index 1892ef261..6ddc4dba2 100644
--- a/test/results/flow-captured/default/h323.pcap.out
+++ b/test/results/flow-captured/default/h323.pcap.out
@@ -1 +1,2 @@
-Flow 2 midstream: tcp 17.2.0.124:3032 -> 17.2.0.122:1720
+Flow 2 risky: tcp 10.1.3.143:32804 -> 10.1.6.18:1232
+Flow 5 midstream: tcp 17.2.0.124:3032 -> 17.2.0.122:1720
diff --git a/test/results/flow-captured/default/haproxy.pcap.out b/test/results/flow-captured/default/haproxy.pcap.out
index cf0b40fae..ab80d1b74 100644
--- a/test/results/flow-captured/default/haproxy.pcap.out
+++ b/test/results/flow-captured/default/haproxy.pcap.out
@@ -1 +1,2 @@
+Flow 1 risky: tcp 1.1.1.1:48502 -> 2.2.2.2:443
Flow 1 midstream: tcp 1.1.1.1:48502 -> 2.2.2.2:443
diff --git a/test/results/flow-captured/default/heuristic_tcp_ack_payload.pcap.out b/test/results/flow-captured/default/heuristic_tcp_ack_payload.pcap.out
index e69de29bb..adb904d07 100644
--- a/test/results/flow-captured/default/heuristic_tcp_ack_payload.pcap.out
+++ b/test/results/flow-captured/default/heuristic_tcp_ack_payload.pcap.out
@@ -0,0 +1,8 @@
+Flow 1 guessed: tcp 194.226.199.21:58155 -> 52.18.127.189:443
+Flow 1 not-detected: tcp 194.226.199.21:58155 -> 52.18.127.189:443
+Flow 3 guessed: tcp 194.226.199.61:27453 -> 35.241.9.150:443
+Flow 3 not-detected: tcp 194.226.199.61:27453 -> 35.241.9.150:443
+Flow 6 guessed: tcp 194.226.199.61:6946 -> 2.22.40.186:443
+Flow 6 not-detected: tcp 194.226.199.61:6946 -> 2.22.40.186:443
+Flow 5 guessed: tcp 194.226.199.103:62580 -> 217.69.139.59:443
+Flow 5 not-detected: tcp 194.226.199.103:62580 -> 217.69.139.59:443
diff --git a/test/results/flow-captured/default/hls.pcapng.out b/test/results/flow-captured/default/hls.pcapng.out
new file mode 100644
index 000000000..c5dfa168e
--- /dev/null
+++ b/test/results/flow-captured/default/hls.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 10.215.173.1:41644 -> 192.168.88.231:8080
diff --git a/test/results/flow-captured/default/http-proxy.pcapng.out b/test/results/flow-captured/default/http-proxy.pcapng.out
index e69de29bb..8ef1ee897 100644
--- a/test/results/flow-captured/default/http-proxy.pcapng.out
+++ b/test/results/flow-captured/default/http-proxy.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 192.168.1.103:1241 -> 192.168.1.146:8080
diff --git a/test/results/flow-captured/default/http_connect.pcap.out b/test/results/flow-captured/default/http_connect.pcap.out
index e69de29bb..9b8177c39 100644
--- a/test/results/flow-captured/default/http_connect.pcap.out
+++ b/test/results/flow-captured/default/http_connect.pcap.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 192.168.1.103:1714 -> 192.168.1.146:8080
diff --git a/test/results/flow-captured/default/instagram.pcap.out b/test/results/flow-captured/default/instagram.pcap.out
index 1574dfaae..30265e546 100644
--- a/test/results/flow-captured/default/instagram.pcap.out
+++ b/test/results/flow-captured/default/instagram.pcap.out
@@ -3,6 +3,15 @@ Flow 4 midstream: tcp 192.168.0.103:57936 -> 82.85.26.162:80
Flow 5 midstream: tcp 192.168.0.103:44379 -> 82.85.26.186:80
Flow 26 midstream: tcp 192.168.0.103:58052 -> 82.85.26.162:80
Flow 30 midstream: tcp 192.168.0.103:58690 -> 46.33.70.159:443
+Flow 7 guessed: tcp 192.168.0.103:33976 -> 77.67.29.17:80
+Flow 7 not-detected: tcp 192.168.0.103:33976 -> 77.67.29.17:80
+Flow 7 midstream: tcp 192.168.0.103:33976 -> 77.67.29.17:80
+Flow 28 guessed: tcp 31.13.86.52:80 -> 192.168.0.103:58216
+Flow 28 not-detected: tcp 31.13.86.52:80 -> 192.168.0.103:58216
+Flow 28 midstream: tcp 31.13.86.52:80 -> 192.168.0.103:58216
Flow 1 risky: tcp 192.168.0.103:56382 -> 173.252.107.4:443
+Flow 29 guessed: tcp 2.22.236.51:80 -> 192.168.0.103:44151
+Flow 29 not-detected: tcp 2.22.236.51:80 -> 192.168.0.103:44151
+Flow 29 midstream: tcp 2.22.236.51:80 -> 192.168.0.103:44151
Flow 2 midstream: tcp 192.168.0.103:33936 -> 31.13.93.52:443
Flow 11 not-detected: udp 192.168.0.1:520 -> 192.168.0.255:520
diff --git a/test/results/flow-captured/default/iqiyi.pcap.out b/test/results/flow-captured/default/iqiyi.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/iqiyi.pcap.out
diff --git a/test/results/flow-captured/default/jabber.pcap.out b/test/results/flow-captured/default/jabber.pcap.out
index 2bcc043f2..50068dc3c 100644
--- a/test/results/flow-captured/default/jabber.pcap.out
+++ b/test/results/flow-captured/default/jabber.pcap.out
@@ -1,3 +1,4 @@
Flow 3 midstream: tcp 172.16.0.62:57126 -> 172.16.1.138:5222
+Flow 6 risky: tcp 172.16.0.62:57149 -> 172.16.1.138:5222
Flow 6 midstream: tcp 172.16.0.62:57149 -> 172.16.1.138:5222
Flow 4 midstream: tcp 172.16.0.62:57129 -> 172.16.1.138:5222
diff --git a/test/results/flow-captured/default/jrmi.pcap.out b/test/results/flow-captured/default/jrmi.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/jrmi.pcap.out
diff --git a/test/results/flow-captured/default/kafka.pcapng.out b/test/results/flow-captured/default/kafka.pcapng.out
index e69de29bb..4b06bf53e 100644
--- a/test/results/flow-captured/default/kafka.pcapng.out
+++ b/test/results/flow-captured/default/kafka.pcapng.out
@@ -0,0 +1,7 @@
+Flow 1 midstream: tcp 172.16.17.101:49280 -> 172.30.0.237:9092
+Flow 3 midstream: tcp 172.16.17.101:40042 -> 172.30.0.237:9092
+Flow 4 midstream: tcp 172.16.17.101:56556 -> 172.30.0.237:9092
+Flow 5 midstream: tcp 172.16.17.101:38176 -> 172.30.0.237:9092
+Flow 8 midstream: tcp 172.16.17.101:53052 -> 172.30.0.237:9092
+Flow 6 midstream: tcp 172.16.17.101:53768 -> 172.30.0.237:9092
+Flow 7 midstream: tcp 172.16.17.101:58300 -> 172.30.0.237:9092
diff --git a/test/results/flow-captured/default/knxip.pcapng.out b/test/results/flow-captured/default/knxip.pcapng.out
new file mode 100644
index 000000000..18731b8a5
--- /dev/null
+++ b/test/results/flow-captured/default/knxip.pcapng.out
@@ -0,0 +1 @@
+Flow 2 midstream: tcp 192.168.1.28:3671 -> 192.168.1.24:54445
diff --git a/test/results/flow-captured/default/kontiki.pcap.out b/test/results/flow-captured/default/kontiki.pcap.out
deleted file mode 100644
index a96831119..000000000
--- a/test/results/flow-captured/default/kontiki.pcap.out
+++ /dev/null
@@ -1,4 +0,0 @@
-Flow 3 risky: udp 10.25.32.59:19948 -> 64.200.148.86:8888
-Flow 1 not-detected: udp 10.25.32.59:19948 -> 255.255.255.255:19948
-Flow 2 not-detected: udp 10.25.32.59:19948 -> 64.200.148.82:1948
-Flow 5 risky: udp 10.25.32.59:19948 -> 64.200.148.88:80
diff --git a/test/results/flow-captured/default/ldp.pcap.out b/test/results/flow-captured/default/ldp.pcap.out
new file mode 100644
index 000000000..fa2de810f
--- /dev/null
+++ b/test/results/flow-captured/default/ldp.pcap.out
@@ -0,0 +1 @@
+Flow 3 midstream: tcp 10.0.1.1:45334 -> 10.0.0.6:646
diff --git a/test/results/flow-captured/default/log4j-webapp-exploit.pcap.out b/test/results/flow-captured/default/log4j-webapp-exploit.pcap.out
index d7be1a0c7..e4f62e7b7 100644
--- a/test/results/flow-captured/default/log4j-webapp-exploit.pcap.out
+++ b/test/results/flow-captured/default/log4j-webapp-exploit.pcap.out
@@ -1,6 +1,6 @@
+Flow 4 not-detected: tcp 172.16.238.10:55408 -> 10.10.10.31:9001
Flow 5 risky: tcp 172.16.238.10:57742 -> 172.16.238.11:1389
Flow 1 risky: tcp 172.16.238.1:1984 -> 172.16.238.10:8080
-Flow 4 not-detected: tcp 172.16.238.10:55408 -> 10.10.10.31:9001
Flow 7 not-detected: tcp 172.16.238.10:55498 -> 10.10.10.31:9001
Flow 3 risky: tcp 172.16.238.10:48444 -> 172.16.238.11:80
Flow 6 risky: tcp 172.16.238.10:48534 -> 172.16.238.11:80
diff --git a/test/results/flow-captured/default/lustre.pcapng.out b/test/results/flow-captured/default/lustre.pcapng.out
new file mode 100644
index 000000000..9baf21d09
--- /dev/null
+++ b/test/results/flow-captured/default/lustre.pcapng.out
@@ -0,0 +1 @@
+Flow 2 midstream: tcp 192.168.88.118:1023 -> 192.168.88.119:988
diff --git a/test/results/flow-captured/default/malware.pcap.out b/test/results/flow-captured/default/malware.pcap.out
index e69de29bb..27b5d9923 100644
--- a/test/results/flow-captured/default/malware.pcap.out
+++ b/test/results/flow-captured/default/malware.pcap.out
@@ -0,0 +1 @@
+Flow 2 risky: icmp 192.168.7.7 -> 144.139.247.220
diff --git a/test/results/flow-captured/default/nano.pcapng.out b/test/results/flow-captured/default/nano.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/nano.pcapng.out
diff --git a/test/results/flow-captured/default/netbios.pcap.out b/test/results/flow-captured/default/netbios.pcap.out
index f61a5ea26..63bf50e5d 100644
--- a/test/results/flow-captured/default/netbios.pcap.out
+++ b/test/results/flow-captured/default/netbios.pcap.out
@@ -1,2 +1,3 @@
Flow 3 risky: udp 10.0.5.9:138 -> 10.0.5.255:138
Flow 12 risky: udp 10.0.5.93:138 -> 10.0.5.255:138
+Flow 16 midstream: tcp 10.19.71.184:55489 -> 10.17.113.129:139
diff --git a/test/results/flow-captured/default/openvpn.pcap.out b/test/results/flow-captured/default/openvpn.pcap.out
index e1ddc9405..3578cc0d1 100644
--- a/test/results/flow-captured/default/openvpn.pcap.out
+++ b/test/results/flow-captured/default/openvpn.pcap.out
@@ -4,3 +4,5 @@ Flow 4 risky: tcp 192.168.1.77:60140 -> 46.101.231.218:443
Flow 5 risky: udp 192.168.43.12:41507 -> 139.59.151.137:13680
Flow 6 risky: udp 192.168.43.18:13680 -> 139.59.151.137:13680
Flow 8 risky: tcp 127.0.0.1:36138 -> 127.0.0.1:443
+Flow 10 risky: udp 192.168.12.156:37383 -> 217.138.197.43:1234
+Flow 9 risky: udp 192.168.12.156:41133 -> 107.161.86.131:443
diff --git a/test/results/flow-captured/default/openwire.pcapng.out b/test/results/flow-captured/default/openwire.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/openwire.pcapng.out
diff --git a/test/results/flow-captured/default/ossfuzz_seed_fake_traces_1.pcapng.out b/test/results/flow-captured/default/ossfuzz_seed_fake_traces_1.pcapng.out
index 8f04d32ca..612ea67f0 100644
--- a/test/results/flow-captured/default/ossfuzz_seed_fake_traces_1.pcapng.out
+++ b/test/results/flow-captured/default/ossfuzz_seed_fake_traces_1.pcapng.out
@@ -8,6 +8,7 @@ Flow 3 risky: tcp 192.168.1.128:1 -> 12.129.206.130:1119
Flow 3 midstream: tcp 192.168.1.128:1 -> 12.129.206.130:1119
Flow 5 risky: tcp 192.168.1.128:1 -> 202.9.66.76:1119
Flow 5 midstream: tcp 192.168.1.128:1 -> 202.9.66.76:1119
+Flow 8 not-detected: udp 127.0.0.1:17788 -> 127.0.0.1:17788
Flow 9 risky: tcp 192.168.1.128:1 -> 1.2.3.4:10
Flow 9 midstream: tcp 192.168.1.128:1 -> 1.2.3.4:10
Flow 10 risky: tcp 192.168.1.128:1 -> 1.2.3.4:11
diff --git a/test/results/flow-captured/default/pgsql2.pcapng.out b/test/results/flow-captured/default/pgsql2.pcapng.out
new file mode 100644
index 000000000..b4cc597fd
--- /dev/null
+++ b/test/results/flow-captured/default/pgsql2.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 10.220.20.67:58574 -> 10.220.20.67:60102
diff --git a/test/results/flow-captured/default/pps.pcap.out b/test/results/flow-captured/default/pps.pcap.out
deleted file mode 100644
index 3fed84771..000000000
--- a/test/results/flow-captured/default/pps.pcap.out
+++ /dev/null
@@ -1,126 +0,0 @@
-Flow 22 not-detected: udp 192.168.115.8:22793 -> 222.26.193.119:7133
-Flow 54 risky: tcp 192.168.115.8:50486 -> 77.234.40.96:80
-Flow 54 midstream: tcp 192.168.115.8:50486 -> 77.234.40.96:80
-Flow 25 not-detected: udp 192.168.115.8:22793 -> 115.157.62.243:29006
-Flow 13 not-detected: udp 192.168.115.8:22793 -> 111.250.102.66:1107
-Flow 64 risky: tcp 192.168.5.15:65127 -> 68.233.253.133:80
-Flow 64 midstream: tcp 192.168.5.15:65127 -> 68.233.253.133:80
-Flow 78 risky: tcp 192.168.5.15:65128 -> 68.233.253.133:80
-Flow 78 midstream: tcp 192.168.5.15:65128 -> 68.233.253.133:80
-Flow 24 not-detected: udp 192.168.115.8:22793 -> 222.26.74.190:1037
-Flow 26 not-detected: udp 192.168.115.8:22793 -> 210.44.232.243:21044
-Flow 27 not-detected: udp 192.168.115.8:22793 -> 1.169.136.116:17951
-Flow 39 midstream: tcp 192.168.115.8:50466 -> 203.66.182.24:80
-Flow 33 not-detected: udp 192.168.115.8:22793 -> 220.130.154.23:35941
-Flow 57 midstream: tcp 192.168.115.8:50488 -> 223.26.106.20:80
-Flow 60 risky: tcp 192.168.115.8:50491 -> 223.26.106.66:80
-Flow 60 midstream: tcp 192.168.115.8:50491 -> 223.26.106.66:80
-Flow 63 risky: tcp 192.168.115.8:50494 -> 223.26.106.66:80
-Flow 63 midstream: tcp 192.168.115.8:50494 -> 223.26.106.66:80
-Flow 81 risky: tcp 192.168.115.8:50505 -> 223.26.106.19:80
-Flow 81 midstream: tcp 192.168.115.8:50505 -> 223.26.106.19:80
-Flow 85 risky: tcp 192.168.115.8:50507 -> 223.26.106.19:80
-Flow 85 midstream: tcp 192.168.115.8:50507 -> 223.26.106.19:80
-Flow 88 risky: tcp 192.168.115.8:50508 -> 223.26.106.19:80
-Flow 88 midstream: tcp 192.168.115.8:50508 -> 223.26.106.19:80
-Flow 32 not-detected: udp 192.168.115.8:22793 -> 114.47.91.129:22576
-Flow 37 risky: tcp 192.168.115.8:50463 -> 101.227.200.11:80
-Flow 37 midstream: tcp 192.168.115.8:50463 -> 101.227.200.11:80
-Flow 47 risky: tcp 192.168.115.8:50476 -> 101.227.32.39:80
-Flow 47 midstream: tcp 192.168.115.8:50476 -> 101.227.32.39:80
-Flow 67 risky: tcp 192.168.115.8:50496 -> 101.227.200.11:80
-Flow 67 midstream: tcp 192.168.115.8:50496 -> 101.227.200.11:80
-Flow 6 not-detected: udp 192.168.115.8:22793 -> 111.249.53.196:32443
-Flow 90 risky: tcp 192.168.115.8:50766 -> 223.26.106.20:80
-Flow 90 midstream: tcp 192.168.115.8:50766 -> 223.26.106.20:80
-Flow 91 risky: tcp 192.168.115.8:50767 -> 223.26.106.20:80
-Flow 91 midstream: tcp 192.168.115.8:50767 -> 223.26.106.20:80
-Flow 93 risky: tcp 192.168.115.8:50768 -> 223.26.106.19:80
-Flow 93 midstream: tcp 192.168.115.8:50768 -> 223.26.106.19:80
-Flow 102 midstream: tcp 192.168.115.8:50778 -> 223.26.106.20:80
-Flow 105 midstream: tcp 192.168.115.8:50780 -> 223.26.106.20:80
-Flow 3 not-detected: udp 192.168.115.8:22793 -> 114.42.0.158:7716
-Flow 12 not-detected: udp 192.168.115.8:22793 -> 210.44.171.1:29702
-Flow 58 risky: tcp 192.168.115.8:50489 -> 119.188.13.188:80
-Flow 58 midstream: tcp 192.168.115.8:50489 -> 119.188.13.188:80
-Flow 59 risky: tcp 192.168.115.8:50490 -> 119.188.13.188:80
-Flow 59 midstream: tcp 192.168.115.8:50490 -> 119.188.13.188:80
-Flow 94 risky: tcp 192.168.115.8:50769 -> 101.227.200.11:80
-Flow 94 midstream: tcp 192.168.115.8:50769 -> 101.227.200.11:80
-Flow 4 not-detected: udp 192.168.115.8:22793 -> 222.197.138.12:6956
-Flow 2 not-detected: udp 118.171.15.56:5544 -> 192.168.115.8:22793
-Flow 40 risky: tcp 192.168.115.8:50467 -> 202.108.14.219:80
-Flow 40 midstream: tcp 192.168.115.8:50467 -> 202.108.14.219:80
-Flow 41 risky: tcp 192.168.115.8:50469 -> 202.108.14.219:80
-Flow 41 midstream: tcp 192.168.115.8:50469 -> 202.108.14.219:80
-Flow 42 risky: tcp 192.168.115.8:50470 -> 202.108.14.236:80
-Flow 42 midstream: tcp 192.168.115.8:50470 -> 202.108.14.236:80
-Flow 43 risky: tcp 192.168.115.8:50471 -> 202.108.14.236:80
-Flow 43 midstream: tcp 192.168.115.8:50471 -> 202.108.14.236:80
-Flow 46 risky: tcp 192.168.115.8:50473 -> 202.108.14.219:80
-Flow 46 midstream: tcp 192.168.115.8:50473 -> 202.108.14.219:80
-Flow 44 risky: tcp 192.168.115.8:50474 -> 202.108.14.221:80
-Flow 44 midstream: tcp 192.168.115.8:50474 -> 202.108.14.221:80
-Flow 45 risky: tcp 192.168.115.8:50475 -> 202.108.14.236:80
-Flow 45 midstream: tcp 192.168.115.8:50475 -> 202.108.14.236:80
-Flow 48 risky: tcp 192.168.115.8:50477 -> 202.108.14.219:80
-Flow 48 midstream: tcp 192.168.115.8:50477 -> 202.108.14.219:80
-Flow 51 risky: tcp 192.168.115.8:50483 -> 202.108.14.219:80
-Flow 51 midstream: tcp 192.168.115.8:50483 -> 202.108.14.219:80
-Flow 52 risky: tcp 192.168.115.8:50484 -> 202.108.14.219:80
-Flow 52 midstream: tcp 192.168.115.8:50484 -> 202.108.14.219:80
-Flow 53 risky: tcp 192.168.115.8:50485 -> 202.108.14.236:80
-Flow 53 midstream: tcp 192.168.115.8:50485 -> 202.108.14.236:80
-Flow 62 risky: tcp 192.168.115.8:50493 -> 202.108.14.236:80
-Flow 62 midstream: tcp 192.168.115.8:50493 -> 202.108.14.236:80
-Flow 66 risky: tcp 192.168.115.8:50495 -> 202.108.14.236:80
-Flow 66 midstream: tcp 192.168.115.8:50495 -> 202.108.14.236:80
-Flow 74 risky: tcp 192.168.115.8:50501 -> 202.108.14.236:80
-Flow 74 midstream: tcp 192.168.115.8:50501 -> 202.108.14.236:80
-Flow 76 risky: tcp 192.168.115.8:50502 -> 202.108.14.236:80
-Flow 76 midstream: tcp 192.168.115.8:50502 -> 202.108.14.236:80
-Flow 79 risky: tcp 192.168.115.8:50503 -> 202.108.14.219:80
-Flow 79 midstream: tcp 192.168.115.8:50503 -> 202.108.14.219:80
-Flow 23 not-detected: udp 192.168.115.8:22793 -> 114.37.142.173:1074
-Flow 7 not-detected: udp 192.168.115.8:22793 -> 219.228.107.156:1250
-Flow 16 not-detected: udp 192.168.115.8:22793 -> 36.233.39.81:18590
-Flow 38 midstream: tcp 192.168.115.8:50464 -> 123.125.112.49:80
-Flow 68 midstream: tcp 192.168.115.8:50497 -> 123.125.112.49:80
-Flow 50 midstream: tcp 192.168.115.8:50482 -> 140.205.243.64:80
-Flow 18 not-detected: udp 192.168.115.8:22793 -> 61.227.170.88:20227
-Flow 20 not-detected: udp 192.168.115.8:22793 -> 121.248.133.93:12757
-Flow 95 risky: tcp 192.168.115.8:50771 -> 202.108.14.236:80
-Flow 95 midstream: tcp 192.168.115.8:50771 -> 202.108.14.236:80
-Flow 19 not-detected: udp 192.168.115.8:22793 -> 202.112.31.89:29072
-Flow 97 risky: tcp 192.168.115.8:50773 -> 202.108.14.221:80
-Flow 97 midstream: tcp 192.168.115.8:50773 -> 202.108.14.221:80
-Flow 99 risky: tcp 192.168.115.8:50774 -> 202.108.14.219:80
-Flow 99 midstream: tcp 192.168.115.8:50774 -> 202.108.14.219:80
-Flow 28 not-detected: udp 192.168.115.8:22793 -> 114.41.144.153:10492
-Flow 14 not-detected: udp 192.168.115.8:22793 -> 61.223.204.67:11102
-Flow 71 risky: tcp 192.168.115.8:50498 -> 36.110.220.15:80
-Flow 71 midstream: tcp 192.168.115.8:50498 -> 36.110.220.15:80
-Flow 61 risky: tcp 192.168.115.8:50492 -> 111.206.13.3:80
-Flow 61 midstream: tcp 192.168.115.8:50492 -> 111.206.13.3:80
-Flow 72 risky: tcp 192.168.115.8:50499 -> 111.206.22.76:80
-Flow 72 midstream: tcp 192.168.115.8:50499 -> 111.206.22.76:80
-Flow 89 midstream: tcp 192.168.115.8:50509 -> 106.38.219.107:80
-Flow 96 midstream: tcp 192.168.115.8:50772 -> 123.125.111.70:80
-Flow 98 midstream: tcp 192.168.115.8:50775 -> 123.125.111.70:80
-Flow 8 not-detected: udp 183.228.182.44:13913 -> 192.168.115.8:22793
-Flow 21 not-detected: udp 192.168.115.8:22793 -> 1.175.128.104:5185
-Flow 31 not-detected: udp 192.168.115.8:22793 -> 210.47.12.20:33738
-Flow 30 not-detected: udp 192.168.115.8:22793 -> 210.47.12.19:33738
-Flow 92 risky: tcp 192.168.115.8:50765 -> 36.110.220.15:80
-Flow 92 midstream: tcp 192.168.115.8:50765 -> 36.110.220.15:80
-Flow 100 risky: tcp 192.168.115.8:50776 -> 111.206.22.77:80
-Flow 100 midstream: tcp 192.168.115.8:50776 -> 111.206.22.77:80
-Flow 101 risky: tcp 192.168.115.8:50777 -> 111.206.22.77:80
-Flow 101 midstream: tcp 192.168.115.8:50777 -> 111.206.22.77:80
-Flow 104 risky: tcp 192.168.115.8:50779 -> 111.206.22.77:80
-Flow 104 midstream: tcp 192.168.115.8:50779 -> 111.206.22.77:80
-Flow 17 not-detected: udp 192.168.115.8:22793 -> 111.117.101.81:10162
-Flow 1 not-detected: udp 1.173.5.226:22636 -> 192.168.115.8:22793
-Flow 5 not-detected: udp 192.168.115.8:22793 -> 202.198.7.89:16039
-Flow 73 midstream: tcp 192.168.115.8:50500 -> 23.41.133.163:80
-Flow 15 not-detected: udp 192.168.115.8:22793 -> 36.237.154.69:4316
diff --git a/test/results/flow-captured/default/quickplay.pcap.out b/test/results/flow-captured/default/quickplay.pcap.out
index 285969368..ab414a2de 100644
--- a/test/results/flow-captured/default/quickplay.pcap.out
+++ b/test/results/flow-captured/default/quickplay.pcap.out
@@ -9,6 +9,7 @@ Flow 12 midstream: tcp 10.54.169.250:42761 -> 203.205.129.101:80
Flow 14 risky: tcp 10.54.169.250:42762 -> 203.205.129.101:80
Flow 14 midstream: tcp 10.54.169.250:42762 -> 203.205.129.101:80
Flow 6 midstream: tcp 10.54.169.250:33277 -> 120.28.26.231:80
+Flow 16 risky: tcp 10.54.169.250:56381 -> 54.179.140.65:80
Flow 16 midstream: tcp 10.54.169.250:56381 -> 54.179.140.65:80
Flow 19 midstream: tcp 10.54.169.250:52019 -> 120.28.35.40:80
Flow 4 midstream: tcp 10.54.169.250:52285 -> 173.252.74.22:80
diff --git a/test/results/flow-captured/default/raknet.pcap.out b/test/results/flow-captured/default/raknet.pcap.out
index 7479c4c3b..47048865a 100644
--- a/test/results/flow-captured/default/raknet.pcap.out
+++ b/test/results/flow-captured/default/raknet.pcap.out
@@ -1,3 +1,6 @@
Flow 5 risky: udp 192.168.2.100:32952 -> 148.153.35.205:60021
+Flow 7 risky: udp 192.168.2.100:32953 -> 148.153.35.205:60021
Flow 6 risky: udp 148.153.35.205:60025 -> 192.168.2.100:32951
+Flow 8 not-detected: udp 192.168.2.100:60690 -> 148.153.35.205:60028
Flow 11 risky: udp 192.168.2.100:44501 -> 148.153.35.205:59935
+Flow 12 not-detected: udp 148.153.35.205:43582 -> 192.168.2.100:44501
diff --git a/test/results/flow-captured/default/ripe_atlas.pcap.out b/test/results/flow-captured/default/ripe_atlas.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/ripe_atlas.pcap.out
diff --git a/test/results/flow-captured/default/sip.pcap.out b/test/results/flow-captured/default/sip.pcap.out
index e69de29bb..1090142cf 100644
--- a/test/results/flow-captured/default/sip.pcap.out
+++ b/test/results/flow-captured/default/sip.pcap.out
@@ -0,0 +1 @@
+Flow 4 not-detected: udp 192.168.1.2:30001 -> 212.242.33.36:40393
diff --git a/test/results/flow-captured/default/ssh.pcap.out b/test/results/flow-captured/default/ssh.pcap.out
index f9dd7de82..314880526 100644
--- a/test/results/flow-captured/default/ssh.pcap.out
+++ b/test/results/flow-captured/default/ssh.pcap.out
@@ -1 +1,2 @@
Flow 1 risky: tcp 172.16.238.1:58395 -> 172.16.238.168:22
+Flow 2 risky: tcp 127.0.0.1:58496 -> 127.0.0.1:8000
diff --git a/test/results/flow-captured/default/ssh_unidirectional.pcap.out b/test/results/flow-captured/default/ssh_unidirectional.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/ssh_unidirectional.pcap.out
diff --git a/test/results/flow-captured/default/stun.pcap.out b/test/results/flow-captured/default/stun.pcap.out
index 744f2a8bc..19e9b46e3 100644
--- a/test/results/flow-captured/default/stun.pcap.out
+++ b/test/results/flow-captured/default/stun.pcap.out
@@ -1,2 +1,3 @@
Flow 2 risky: udp 192.168.12.169:43016 -> 74.125.247.128:3478
+Flow 3 risky: icmp 192.168.12.169 -> 74.125.247.128
Flow 5 risky: udp 192.168.12.169:38123 -> 31.13.86.54:40003
diff --git a/test/results/flow-captured/default/stun_google_meet.pcapng.out b/test/results/flow-captured/default/stun_google_meet.pcapng.out
index b192b4471..d406e6c37 100644
--- a/test/results/flow-captured/default/stun_google_meet.pcapng.out
+++ b/test/results/flow-captured/default/stun_google_meet.pcapng.out
@@ -1,5 +1,4 @@
Flow 3 risky: udp 192.168.12.156:38152 -> 142.250.82.76:19305
-Flow 4 risky: udp 192.168.12.156:45400 -> 142.250.82.76:19305
Flow 2 risky: udp 192.168.12.156:45400 -> 74.125.128.127:19302
Flow 1 risky: udp 192.168.12.156:38152 -> 74.125.128.127:19302
Flow 7 risky: udp 2001:b07:a3d:c112:48a1:1094:1227:281e:45572 -> 2001:4860:4864:6::81:19305
diff --git a/test/results/flow-captured/default/stun_signal.pcapng.out b/test/results/flow-captured/default/stun_signal.pcapng.out
index 44fe66f11..cf96af8df 100644
--- a/test/results/flow-captured/default/stun_signal.pcapng.out
+++ b/test/results/flow-captured/default/stun_signal.pcapng.out
@@ -1,4 +1,5 @@
Flow 14 risky: udp 192.168.12.169:43068 -> 18.195.131.143:61156
+Flow 7 risky: icmp 35.158.183.167 -> 192.168.12.169
Flow 3 risky: udp 192.168.12.169:47204 -> 35.158.183.167:443
Flow 6 risky: udp 192.168.12.169:39518 -> 35.158.183.167:443
Flow 23 risky: udp 192.168.12.169:47767 -> 18.195.131.143:61498
@@ -7,9 +8,9 @@ Flow 10 risky: udp 192.168.12.169:43068 -> 172.253.121.127:19302
Flow 12 risky: udp 192.168.12.169:39950 -> 35.158.183.167:443
Flow 11 risky: udp 192.168.12.169:39950 -> 172.253.121.127:19302
Flow 20 risky: udp 192.168.12.169:37970 -> 35.158.122.211:3478
-Flow 22 risky: udp 192.168.12.169:47767 -> 18.195.131.143:54054
Flow 17 risky: udp 192.168.12.169:47767 -> 35.158.122.211:443
Flow 15 risky: udp 192.168.12.169:47767 -> 172.253.121.127:19302
Flow 18 risky: udp 192.168.12.169:37970 -> 35.158.122.211:443
Flow 16 risky: udp 192.168.12.169:37970 -> 172.253.121.127:19302
+Flow 21 risky: icmp 35.158.122.211 -> 192.168.12.169
Flow 19 risky: udp 192.168.12.169:47767 -> 35.158.122.211:3478
diff --git a/test/results/flow-captured/default/stun_wa_call.pcapng.out b/test/results/flow-captured/default/stun_wa_call.pcapng.out
index 23b2b724d..333efcc49 100644
--- a/test/results/flow-captured/default/stun_wa_call.pcapng.out
+++ b/test/results/flow-captured/default/stun_wa_call.pcapng.out
@@ -4,6 +4,7 @@ Flow 2 risky: udp 192.168.12.156:46652 -> 157.240.203.62:3478
Flow 4 risky: udp 192.168.12.156:46652 -> 157.240.21.51:3478
Flow 5 risky: udp 192.168.12.156:46652 -> 157.240.195.48:3478
Flow 3 risky: udp 192.168.12.156:46652 -> 157.240.231.62:3478
+Flow 13 risky: icmp 93.63.100.129 -> 192.168.12.156
Flow 7 risky: udp 192.168.12.156:49526 -> 157.240.231.62:3478
Flow 8 risky: udp 192.168.12.156:49526 -> 157.240.196.62:3478
Flow 11 risky: udp 192.168.12.156:49526 -> 10.82.40.241:40436
diff --git a/test/results/flow-captured/default/synscan.pcap.out b/test/results/flow-captured/default/synscan.pcap.out
index 56be2c304..256ce0946 100644
--- a/test/results/flow-captured/default/synscan.pcap.out
+++ b/test/results/flow-captured/default/synscan.pcap.out
@@ -1112,8 +1112,6 @@ Flow 299 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:62078
Flow 321 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:62078
Flow 259 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:6788
Flow 279 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:6788
-Flow 497 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:646
-Flow 534 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:646
Flow 1499 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:6792
Flow 1495 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:648
Flow 1554 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:648
@@ -1608,9 +1606,7 @@ Flow 1257 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:1098
Flow 444 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:1097
Flow 1988 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:9290
Flow 1303 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:1098
-Flow 1045 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:1099
Flow 1166 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:1100
-Flow 1110 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:1099
Flow 1241 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:1100
Flow 1533 not-detected: tcp 172.16.0.8:36050 -> 64.13.134.52:1102
Flow 1620 not-detected: tcp 172.16.0.8:36051 -> 64.13.134.52:1102
diff --git a/test/results/flow-captured/default/teams.pcap.out b/test/results/flow-captured/default/teams.pcap.out
index e2f4067c2..f9a450ce5 100644
--- a/test/results/flow-captured/default/teams.pcap.out
+++ b/test/results/flow-captured/default/teams.pcap.out
@@ -4,8 +4,6 @@ Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
-Flow 76 risky: udp 192.168.1.6:50016 -> 192.168.0.4:50005
-Flow 77 risky: udp 192.168.1.6:50036 -> 192.168.0.4:50020
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
diff --git a/test/results/flow-captured/default/telegram.pcap.out b/test/results/flow-captured/default/telegram.pcap.out
index f26a08e48..4980a4853 100644
--- a/test/results/flow-captured/default/telegram.pcap.out
+++ b/test/results/flow-captured/default/telegram.pcap.out
@@ -1,7 +1,7 @@
+Flow 25 not-detected: udp 192.168.1.77:23174 -> 192.168.1.52:31480
Flow 32 risky: udp 192.168.1.77:5812 -> 192.168.1.1:53
Flow 27 risky: udp 192.168.1.77:47127 -> 192.168.1.1:53
Flow 29 risky: udp 192.168.1.43:138 -> 192.168.1.255:138
Flow 44 not-detected: udp 192.168.1.77:28150 -> 87.11.205.195:59772
Flow 26 not-detected: udp 192.168.1.77:23174 -> 87.11.205.195:60723
Flow 33 risky: udp 192.168.1.77:54595 -> 192.168.1.1:53
-Flow 25 not-detected: udp 192.168.1.77:23174 -> 192.168.1.52:31480
diff --git a/test/results/flow-captured/default/telegram_videocall.pcapng.out b/test/results/flow-captured/default/telegram_videocall.pcapng.out
index 4184bab7a..f94ea0087 100644
--- a/test/results/flow-captured/default/telegram_videocall.pcapng.out
+++ b/test/results/flow-captured/default/telegram_videocall.pcapng.out
@@ -1,10 +1,17 @@
+Flow 4 risky: tcp 192.168.12.169:37950 -> 149.154.167.91:443
+Flow 7 risky: tcp 192.168.12.169:40830 -> 149.154.167.222:443
Flow 26 risky: udp 192.168.12.169:42405 -> 93.36.13.115:35393
+Flow 8 risky: tcp 192.168.12.169:40832 -> 149.154.167.222:443
+Flow 10 risky: tcp 192.168.12.169:37966 -> 149.154.167.91:443
Flow 18 risky: udp 192.168.12.169:40643 -> 91.108.9.35:1400
Flow 24 risky: udp 192.168.12.169:42405 -> 10.46.103.200:42554
+Flow 5 risky: tcp 192.168.12.169:46862 -> 149.154.167.51:443
+Flow 6 risky: tcp 192.168.12.169:46866 -> 149.154.167.51:443
+Flow 9 risky: tcp 192.168.12.169:40834 -> 149.154.167.222:443
Flow 19 risky: udp 192.168.12.169:49667 -> 91.108.13.23:1400
Flow 25 risky: udp 192.168.12.169:40906 -> 10.46.103.200:42554
-Flow 23 risky: udp 192.168.12.169:37444 -> 91.108.17.2:1400
Flow 20 risky: udp 192.168.12.169:49780 -> 91.108.17.2:1400
-Flow 22 risky: udp 192.168.12.169:37530 -> 91.108.13.23:1400
+Flow 33 risky: icmp 192.168.12.169 -> 91.108.17.2
+Flow 32 risky: icmp 192.168.12.169 -> 91.108.13.23
+Flow 31 risky: icmp 192.168.12.169 -> 91.108.9.35
Flow 34 midstream: tcp 18.195.162.93:443 -> 192.168.12.169:38956
-Flow 21 risky: udp 192.168.12.169:37849 -> 91.108.9.35:1400
diff --git a/test/results/flow-captured/default/teso.pcapng.out b/test/results/flow-captured/default/teso.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/teso.pcapng.out
diff --git a/test/results/flow-captured/default/trdp.pcapng.out b/test/results/flow-captured/default/trdp.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/trdp.pcapng.out
diff --git a/test/results/flow-captured/default/viber.pcap.out b/test/results/flow-captured/default/viber.pcap.out
index ac2797c0c..4222474a3 100644
--- a/test/results/flow-captured/default/viber.pcap.out
+++ b/test/results/flow-captured/default/viber.pcap.out
@@ -1 +1,6 @@
+Flow 26 risky: icmp 192.168.0.17 -> 192.168.0.15
+Flow 1 guessed: tcp 192.168.0.17:33208 -> 52.0.253.101:4244
+Flow 1 not-detected: tcp 192.168.0.17:33208 -> 52.0.253.101:4244
+Flow 1 midstream: tcp 192.168.0.17:33208 -> 52.0.253.101:4244
Flow 29 midstream: tcp 192.168.2.100:42900 -> 44.192.202.74:4244
+Flow 30 risky: udp 192.168.12.156:40482 -> 18.195.4.121:443
diff --git a/test/results/flow-captured/default/wa_video.pcap.out b/test/results/flow-captured/default/wa_video.pcap.out
index 32d1e558c..452806841 100644
--- a/test/results/flow-captured/default/wa_video.pcap.out
+++ b/test/results/flow-captured/default/wa_video.pcap.out
@@ -1,7 +1,6 @@
Flow 3 risky: udp 192.168.2.12:53688 -> 31.13.86.48:3478
Flow 11 risky: udp 192.168.2.12:53688 -> 91.252.56.51:32641
-Flow 7 risky: udp 192.168.2.12:53688 -> 157.240.196.62:3478
-Flow 5 risky: udp 192.168.2.12:53688 -> 157.240.193.48:3478
-Flow 6 risky: udp 192.168.2.12:53688 -> 179.60.192.48:3478
-Flow 4 risky: udp 192.168.2.12:53688 -> 185.60.216.51:3478
+Flow 2 guessed: tcp 192.168.2.12:49355 -> 157.240.20.53:5222
+Flow 2 not-detected: tcp 192.168.2.12:49355 -> 157.240.20.53:5222
+Flow 2 midstream: tcp 192.168.2.12:49355 -> 157.240.20.53:5222
Flow 10 risky: udp 192.168.2.12:53688 -> 1.60.78.64:59491
diff --git a/test/results/flow-captured/default/waze.pcap.out b/test/results/flow-captured/default/waze.pcap.out
index 5e77b6b5a..5eadfae81 100644
--- a/test/results/flow-captured/default/waze.pcap.out
+++ b/test/results/flow-captured/default/waze.pcap.out
@@ -1,6 +1,13 @@
Flow 3 risky: tcp 10.8.0.1:54915 -> 65.39.128.135:80
Flow 18 risky: tcp 10.8.0.1:39021 -> 52.17.114.219:443
Flow 6 risky: tcp 10.8.0.1:36102 -> 46.51.173.182:443
+Flow 4 risky: tcp 10.8.0.1:45529 -> 54.230.227.172:80
+Flow 8 risky: tcp 10.8.0.1:45536 -> 54.230.227.172:80
+Flow 9 risky: tcp 10.8.0.1:45538 -> 54.230.227.172:80
+Flow 10 risky: tcp 10.8.0.1:45540 -> 54.230.227.172:80
+Flow 15 risky: tcp 10.8.0.1:45546 -> 54.230.227.172:80
+Flow 16 risky: tcp 10.8.0.1:45552 -> 54.230.227.172:80
+Flow 17 risky: tcp 10.8.0.1:45554 -> 54.230.227.172:80
Flow 5 risky: tcp 10.8.0.1:36100 -> 46.51.173.182:443
Flow 19 risky: tcp 10.8.0.1:36312 -> 176.34.186.180:443
Flow 7 risky: tcp 10.8.0.1:36585 -> 173.194.118.48:443
diff --git a/test/results/flow-captured/default/webdav.pcap.out b/test/results/flow-captured/default/webdav.pcap.out
index 6c907c396..65eb41d40 100644
--- a/test/results/flow-captured/default/webdav.pcap.out
+++ b/test/results/flow-captured/default/webdav.pcap.out
@@ -1 +1,8 @@
Flow 1 risky: tcp 10.24.8.189:50652 -> 104.156.149.6:80
+Flow 7 risky: tcp 192.168.16.173:47726 -> 198.244.151.63:80
+Flow 4 risky: tcp 192.168.16.173:55974 -> 198.244.151.63:80
+Flow 3 risky: tcp 192.168.16.173:41714 -> 198.244.151.63:80
+Flow 2 risky: tcp 192.168.16.173:35612 -> 198.244.151.63:80
+Flow 8 risky: tcp 192.168.16.173:57432 -> 198.244.151.63:80
+Flow 5 risky: tcp 192.168.16.173:47432 -> 198.244.151.63:80
+Flow 6 risky: tcp 192.168.16.173:47436 -> 198.244.151.63:80
diff --git a/test/results/flow-captured/default/whatsapp_login_call.pcap.out b/test/results/flow-captured/default/whatsapp_login_call.pcap.out
index 26aabefaa..681fca7d1 100644
--- a/test/results/flow-captured/default/whatsapp_login_call.pcap.out
+++ b/test/results/flow-captured/default/whatsapp_login_call.pcap.out
@@ -1,25 +1,11 @@
Flow 17 risky: tcp 192.168.2.4:49204 -> 17.173.66.102:443
Flow 39 risky: udp 192.168.2.4:51518 -> 91.253.176.65:9344
-Flow 23 risky: udp 192.168.2.4:51518 -> 31.13.100.14:3478
-Flow 24 risky: udp 192.168.2.4:51518 -> 31.13.70.48:3478
-Flow 25 risky: udp 192.168.2.4:51518 -> 31.13.64.48:3478
-Flow 26 risky: udp 192.168.2.4:51518 -> 31.13.85.48:3478
-Flow 30 risky: udp 192.168.2.4:51518 -> 31.13.73.48:3478
-Flow 27 risky: udp 192.168.2.4:51518 -> 31.13.91.48:3478
-Flow 28 risky: udp 192.168.2.4:51518 -> 31.13.79.192:3478
Flow 29 risky: udp 192.168.2.4:51518 -> 31.13.93.48:3478
Flow 55 risky: udp 192.168.2.4:52794 -> 91.253.176.65:9665
Flow 38 risky: udp 192.168.2.4:51518 -> 1.194.90.191:60312
Flow 57 risky: tcp 192.168.2.4:49205 -> 17.173.66.102:443
Flow 6 midstream: tcp 192.168.2.4:49172 -> 23.50.148.228:443
-Flow 50 risky: udp 192.168.2.4:52794 -> 173.252.114.1:3478
-Flow 49 risky: udp 192.168.2.4:52794 -> 179.60.192.48:3478
-Flow 46 risky: udp 192.168.2.4:52794 -> 31.13.73.48:3478
-Flow 47 risky: udp 192.168.2.4:52794 -> 31.13.93.48:3478
-Flow 51 risky: udp 192.168.2.4:52794 -> 31.13.90.48:3478
-Flow 52 risky: udp 192.168.2.4:52794 -> 31.13.74.48:3478
Flow 53 risky: udp 192.168.2.4:52794 -> 31.13.84.48:3478
-Flow 48 risky: udp 192.168.2.4:52794 -> 31.13.79.192:3478
Flow 54 risky: udp 192.168.2.4:52794 -> 1.194.90.191:51727
Flow 1 risky: tcp 192.168.2.4:49199 -> 17.172.100.70:993
Flow 1 midstream: tcp 192.168.2.4:49199 -> 17.172.100.70:993
diff --git a/test/results/flow-captured/default/windscribe.pcapng.out b/test/results/flow-captured/default/windscribe.pcapng.out
new file mode 100644
index 000000000..c714774e3
--- /dev/null
+++ b/test/results/flow-captured/default/windscribe.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 192.168.12.156:42192 -> 107.161.86.132:443
diff --git a/test/results/flow-captured/default/xiaomi.pcap.out b/test/results/flow-captured/default/xiaomi.pcap.out
index 46ef54207..0825357a0 100644
--- a/test/results/flow-captured/default/xiaomi.pcap.out
+++ b/test/results/flow-captured/default/xiaomi.pcap.out
@@ -1 +1,6 @@
Flow 1 midstream: tcp 47.241.7.88:5222 -> 10.52.151.160:39180
+Flow 2 risky: tcp 115.164.74.232:5222 -> 192.168.244.219:45904
+Flow 4 risky: tcp 97.39.119.172:5222 -> 192.168.93.59:51488
+Flow 3 risky: tcp 115.164.74.232:5222 -> 192.168.247.13:38018
+Flow 5 risky: tcp 192.168.2.100:37708 -> 3.127.176.74:5222
+Flow 6 risky: tcp 192.168.2.100:45106 -> 18.193.233.122:5222
diff --git a/test/results/flow-captured/default/zoom_p2p.pcapng.out b/test/results/flow-captured/default/zoom_p2p.pcapng.out
index e69de29bb..6b18616d3 100644
--- a/test/results/flow-captured/default/zoom_p2p.pcapng.out
+++ b/test/results/flow-captured/default/zoom_p2p.pcapng.out
@@ -0,0 +1,5 @@
+Flow 5 risky: icmp 206.247.87.213 -> 192.168.12.156
+Flow 6 risky: udp 192.168.12.156:38453 -> 192.168.1.226:41036
+Flow 10 risky: icmp 206.247.10.253 -> 192.168.12.156
+Flow 12 risky: udp 192.168.12.156:42208 -> 10.78.14.178:47312
+Flow 13 risky: udp 192.168.12.156:49579 -> 10.78.14.178:49586
diff --git a/test/results/flow-captured/default/zug.pcap.out b/test/results/flow-captured/default/zug.pcap.out
new file mode 100644
index 000000000..b3c5b511d
--- /dev/null
+++ b/test/results/flow-captured/default/zug.pcap.out
@@ -0,0 +1 @@
+Flow 4 not-detected: udp 61.59.105.181:19000 -> 199.24.15.231:48793
diff --git a/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out b/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out
index e818177e6..e68307bbc 100644
--- a/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out
+++ b/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out
@@ -43,6 +43,7 @@ Flow 158 midstream: tcp 192.168.2.126:49372 -> 14.136.136.108:80
Flow 150 midstream: tcp 192.168.2.126:45416 -> 161.117.13.29:80
Flow 147 midstream: tcp 192.168.2.126:45388 -> 161.117.13.29:80
Flow 148 midstream: tcp 192.168.2.126:45398 -> 161.117.13.29:80
+Flow 163 risky: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 163 midstream: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 178 risky: tcp 192.168.2.126:56826 -> 8.209.97.107:80
Flow 178 midstream: tcp 192.168.2.126:56826 -> 8.209.97.107:80
@@ -72,9 +73,11 @@ Flow 165 midstream: tcp 192.168.2.126:50148 -> 161.117.13.29:80
Flow 166 midstream: tcp 192.168.2.126:50164 -> 161.117.13.29:80
Flow 167 midstream: tcp 192.168.2.126:50166 -> 161.117.13.29:80
Flow 168 midstream: tcp 192.168.2.126:50176 -> 161.117.13.29:80
+Flow 153 risky: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 153 midstream: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 197 midstream: tcp 192.168.2.126:51686 -> 18.64.79.64:80
Flow 156 midstream: tcp 192.168.2.126:36732 -> 142.250.186.174:80
+Flow 194 risky: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 194 midstream: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 189 midstream: tcp 192.168.2.126:42554 -> 35.156.44.13:80
Flow 190 risky: tcp 192.168.2.126:42566 -> 35.156.44.13:80
diff --git a/test/results/flow-captured/stun_mapped_address_disabled/teams.pcap.out b/test/results/flow-captured/fpc_disabled/teams.pcap.out
index e2f4067c2..f9a450ce5 100644
--- a/test/results/flow-captured/stun_mapped_address_disabled/teams.pcap.out
+++ b/test/results/flow-captured/fpc_disabled/teams.pcap.out
@@ -4,8 +4,6 @@ Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
-Flow 76 risky: udp 192.168.1.6:50016 -> 192.168.0.4:50005
-Flow 77 risky: udp 192.168.1.6:50036 -> 192.168.0.4:50020
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
diff --git a/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out b/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out
index e818177e6..e68307bbc 100644
--- a/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out
+++ b/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out
@@ -43,6 +43,7 @@ Flow 158 midstream: tcp 192.168.2.126:49372 -> 14.136.136.108:80
Flow 150 midstream: tcp 192.168.2.126:45416 -> 161.117.13.29:80
Flow 147 midstream: tcp 192.168.2.126:45388 -> 161.117.13.29:80
Flow 148 midstream: tcp 192.168.2.126:45398 -> 161.117.13.29:80
+Flow 163 risky: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 163 midstream: tcp 192.168.2.126:44368 -> 172.217.18.98:80
Flow 178 risky: tcp 192.168.2.126:56826 -> 8.209.97.107:80
Flow 178 midstream: tcp 192.168.2.126:56826 -> 8.209.97.107:80
@@ -72,9 +73,11 @@ Flow 165 midstream: tcp 192.168.2.126:50148 -> 161.117.13.29:80
Flow 166 midstream: tcp 192.168.2.126:50164 -> 161.117.13.29:80
Flow 167 midstream: tcp 192.168.2.126:50166 -> 161.117.13.29:80
Flow 168 midstream: tcp 192.168.2.126:50176 -> 161.117.13.29:80
+Flow 153 risky: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 153 midstream: tcp 192.168.2.126:41390 -> 18.64.79.37:80
Flow 197 midstream: tcp 192.168.2.126:51686 -> 18.64.79.64:80
Flow 156 midstream: tcp 192.168.2.126:36732 -> 142.250.186.174:80
+Flow 194 risky: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 194 midstream: tcp 192.168.2.126:53416 -> 172.217.16.142:80
Flow 189 midstream: tcp 192.168.2.126:42554 -> 35.156.44.13:80
Flow 190 risky: tcp 192.168.2.126:42566 -> 35.156.44.13:80
diff --git a/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out b/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out
new file mode 100644
index 000000000..f9a450ce5
--- /dev/null
+++ b/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out
@@ -0,0 +1,19 @@
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
+Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
+Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
+Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
+Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
+Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
+Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
+Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
+Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
+Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
+Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
+Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
+Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
+Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
+Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
+Flow 10 risky: udp 192.168.1.6:64046 -> 192.168.1.1:53
+Flow 68 risky: udp 192.168.1.6:50016 -> 52.114.250.141:3478
+Flow 70 risky: udp 192.168.1.6:50036 -> 52.114.250.137:3478
diff --git a/test/results/flow-captured/stun_extra_dissection/lru_ipv6_caches.pcapng.out b/test/results/flow-captured/stun_extra_dissection/lru_ipv6_caches.pcapng.out
new file mode 100644
index 000000000..0247c3886
--- /dev/null
+++ b/test/results/flow-captured/stun_extra_dissection/lru_ipv6_caches.pcapng.out
@@ -0,0 +1,4 @@
+Flow 2 risky: udp 3991:72d:336e:65ec:c5bf:a5fa:83ad:23de:6881 -> 3024:e5ee:ac2f:cd76:5dd6:a7a1:f17f:5c27:60506
+Flow 7 risky: udp 2118:ec33:112b:7908:2c80:27ff:fef7:d71f:48415 -> 32fb:f967:681e:e96b:face:b00c::74fd:3478
+Flow 12 risky: udp 3069:c624:1d42:9469:98b1:67ff:fe43:325:56131 -> 32fb:f967:681e:e96b:face:b00c::74fd:3478
+Flow 3 risky: udp 2a2f:8509:1cb2:466d:ecbf:69d6:109c:608:62229 -> 3991:72d:336e:65ec:c5bf:a5fa:83ad:23de:6881
diff --git a/test/results/flow-captured/stun_extra_dissection/stun_dtls_rtp.pcapng.out b/test/results/flow-captured/stun_extra_dissection/stun_dtls_rtp.pcapng.out
new file mode 100644
index 000000000..fafa9ec68
--- /dev/null
+++ b/test/results/flow-captured/stun_extra_dissection/stun_dtls_rtp.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: udp 192.168.12.156:37967 -> 142.250.82.76:19305
diff --git a/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out b/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out
new file mode 100644
index 000000000..333efcc49
--- /dev/null
+++ b/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out
@@ -0,0 +1,13 @@
+Flow 1 risky: udp 192.168.12.156:46652 -> 93.57.123.227:3478
+Flow 6 risky: udp 192.168.12.156:49526 -> 157.240.203.62:3478
+Flow 2 risky: udp 192.168.12.156:46652 -> 157.240.203.62:3478
+Flow 4 risky: udp 192.168.12.156:46652 -> 157.240.21.51:3478
+Flow 5 risky: udp 192.168.12.156:46652 -> 157.240.195.48:3478
+Flow 3 risky: udp 192.168.12.156:46652 -> 157.240.231.62:3478
+Flow 13 risky: icmp 93.63.100.129 -> 192.168.12.156
+Flow 7 risky: udp 192.168.12.156:49526 -> 157.240.231.62:3478
+Flow 8 risky: udp 192.168.12.156:49526 -> 157.240.196.62:3478
+Flow 11 risky: udp 192.168.12.156:49526 -> 10.82.40.241:40436
+Flow 12 risky: udp 192.168.12.156:49526 -> 93.33.118.87:41107
+Flow 9 risky: udp 192.168.12.156:49526 -> 179.60.192.48:3478
+Flow 10 risky: udp 192.168.12.156:49526 -> 185.60.216.51:3478
diff --git a/test/results/flow-captured/stun_only_peer_address_enabled/telegram_videocall.pcapng.out b/test/results/flow-captured/stun_only_peer_address_enabled/telegram_videocall.pcapng.out
new file mode 100644
index 000000000..f94ea0087
--- /dev/null
+++ b/test/results/flow-captured/stun_only_peer_address_enabled/telegram_videocall.pcapng.out
@@ -0,0 +1,17 @@
+Flow 4 risky: tcp 192.168.12.169:37950 -> 149.154.167.91:443
+Flow 7 risky: tcp 192.168.12.169:40830 -> 149.154.167.222:443
+Flow 26 risky: udp 192.168.12.169:42405 -> 93.36.13.115:35393
+Flow 8 risky: tcp 192.168.12.169:40832 -> 149.154.167.222:443
+Flow 10 risky: tcp 192.168.12.169:37966 -> 149.154.167.91:443
+Flow 18 risky: udp 192.168.12.169:40643 -> 91.108.9.35:1400
+Flow 24 risky: udp 192.168.12.169:42405 -> 10.46.103.200:42554
+Flow 5 risky: tcp 192.168.12.169:46862 -> 149.154.167.51:443
+Flow 6 risky: tcp 192.168.12.169:46866 -> 149.154.167.51:443
+Flow 9 risky: tcp 192.168.12.169:40834 -> 149.154.167.222:443
+Flow 19 risky: udp 192.168.12.169:49667 -> 91.108.13.23:1400
+Flow 25 risky: udp 192.168.12.169:40906 -> 10.46.103.200:42554
+Flow 20 risky: udp 192.168.12.169:49780 -> 91.108.17.2:1400
+Flow 33 risky: icmp 192.168.12.169 -> 91.108.17.2
+Flow 32 risky: icmp 192.168.12.169 -> 91.108.13.23
+Flow 31 risky: icmp 192.168.12.169 -> 91.108.9.35
+Flow 34 midstream: tcp 18.195.162.93:443 -> 192.168.12.169:38956
diff --git a/test/results/flow-captured/subclassification_disable/anydesk.pcapng.out b/test/results/flow-captured/subclassification_disable/anydesk.pcapng.out
new file mode 100644
index 000000000..9f090eeb4
--- /dev/null
+++ b/test/results/flow-captured/subclassification_disable/anydesk.pcapng.out
@@ -0,0 +1,5 @@
+Flow 1 risky: tcp 192.168.149.129:36351 -> 51.83.239.144:80
+Flow 1 midstream: tcp 192.168.149.129:36351 -> 51.83.239.144:80
+Flow 2 risky: tcp 192.168.149.129:43535 -> 51.83.238.219:80
+Flow 5 risky: tcp 192.168.1.187:54164 -> 192.168.1.178:7070
+Flow 7 risky: tcp 192.168.1.128:48260 -> 195.181.174.176:443
diff --git a/test/results/flow-captured/subclassification_disable/dns.pcap.out b/test/results/flow-captured/subclassification_disable/dns.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/subclassification_disable/dns.pcap.out
diff --git a/test/results/flow-captured/subclassification_disable/http.pcapng.out b/test/results/flow-captured/subclassification_disable/http.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/subclassification_disable/http.pcapng.out
diff --git a/test/results/flow-captured/subclassification_disable/quic-mvfst-27.pcapng.out b/test/results/flow-captured/subclassification_disable/quic-mvfst-27.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/subclassification_disable/quic-mvfst-27.pcapng.out
diff --git a/test/results/flow-captured/subclassification_disable/tls_ech.pcapng.out b/test/results/flow-captured/subclassification_disable/tls_ech.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/subclassification_disable/tls_ech.pcapng.out
diff --git a/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out b/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out
new file mode 100644
index 000000000..40e91288c
--- /dev/null
+++ b/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out
@@ -0,0 +1,6 @@
+Flow 30 risky: tcp 192.168.1.117:54871 -> 109.94.160.99:443
+Flow 9 risky: udp 192.168.1.117:65394 -> 192.168.1.1:53
+Flow 14 risky: udp 192.168.1.117:23903 -> 162.255.38.14:3479
+Flow 3 risky: tcp 192.168.1.117:54863 -> 167.99.215.164:4434
+Flow 16 risky: tcp 192.168.1.117:53872 -> 35.186.224.53:443
+Flow 16 midstream: tcp 192.168.1.117:53872 -> 35.186.224.53:443
diff --git a/test/results/flow-captured/zoom_extra_dissection/zoom2.pcap.out b/test/results/flow-captured/zoom_extra_dissection/zoom2.pcap.out
new file mode 100644
index 000000000..f00467b39
--- /dev/null
+++ b/test/results/flow-captured/zoom_extra_dissection/zoom2.pcap.out
@@ -0,0 +1,3 @@
+Flow 2 risky: udp 192.168.1.178:60653 -> 144.195.73.154:8801
+Flow 3 risky: udp 192.168.1.178:58117 -> 144.195.73.154:8801
+Flow 4 risky: udp 192.168.1.178:57953 -> 144.195.73.154:8801
diff --git a/test/results/flow-captured/zoom_extra_dissection/zoom_p2p.pcapng.out b/test/results/flow-captured/zoom_extra_dissection/zoom_p2p.pcapng.out
new file mode 100644
index 000000000..6b18616d3
--- /dev/null
+++ b/test/results/flow-captured/zoom_extra_dissection/zoom_p2p.pcapng.out
@@ -0,0 +1,5 @@
+Flow 5 risky: icmp 206.247.87.213 -> 192.168.12.156
+Flow 6 risky: udp 192.168.12.156:38453 -> 192.168.1.226:41036
+Flow 10 risky: icmp 206.247.10.253 -> 192.168.12.156
+Flow 12 risky: udp 192.168.12.156:42208 -> 10.78.14.178:47312
+Flow 13 risky: udp 192.168.12.156:49579 -> 10.78.14.178:49586
Powered by cgit, Themed by Ted Yin.