Reworked layer 4 flow length naming/calculation.

* nDPIsrvd services usually do not care about layer4 data length, payload length is quite more essential for further processing Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2021-05-20 14:55:05 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2021-05-20 14:55:05 +0200
commit: 9a1c2d0ea731724edfaca97195c87569e4321681 (patch)
tree: d1371082f38a429a2c491ef918ed2a963936bc9a /test/results/ftp_failed.pcap.out
parent: db39772aa7b10ee6fb9e21db8f44c0f5fca7a1d2 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/test/results/ftp_failed.pcap.out b/test/results/ftp_failed.pcap.out
index 03a4ba890..97956b71d 100644
--- a/test/results/ftp_failed.pcap.out
+++ b/test/results/ftp_failed.pcap.out
@@ -1,5 +1,5 @@
 00478{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"ftp_failed.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"idle-scan-period":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":30000,"udp-max-idle-time":180000,"tcp-max-idle-time":7440000,"tcp-max-post-end-flow-time":120000,"max-packets-per-flow-to-send":15,"max-packets-per-flow-to-process":255}
-00491{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_first_seen":1574361625864,"flow_last_seen":0,"flow_tot_l4_data_len":40,"flow_min_l4_data_len":40,"flow_max_l4_data_len":40,"flow_avg_l4_data_len":40,"midstream":0,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
+00499{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_first_seen":1574361625864,"flow_last_seen":0,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
 00468{"flow_id":1,"flow_packet_id":1,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ftp_failed.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1574361625,"pkt_ts_usec":864342,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"pkt":"9LUv\/K\/wZABqYzXMht1gC5eXACgGQCoADUAAAQADAZIAEgGTABEqAAgAEBAAAAAAAAAAAAABrrQAFZk3QbUAAAAAoAJwgHzLAAACBAWgBAIICpYFXqIAAAAAAQMDBw=="}
 00470{"flow_id":1,"flow_packet_id":2,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ftp_failed.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1574361625,"pkt_ts_usec":878212,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"pkt":"ZABqYzXM9LUv\/K\/wht1gC1mOACgGOioACAAQEAAAAAAAAAAAAAEqAA1AAAEAAwGSABIBkwARABWutHAVBmyZN0G2oBL\/\/zbpAAACBAWgBAIIClbTSMOWBV6iAQMDDg=="}
 00456{"flow_id":1,"flow_packet_id":3,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ftp_failed.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1574361625,"pkt_ts_usec":878234,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"pkt":"9LUv\/K\/wZABqYzXMht1gC5eXACAGQCoADUAAAQADAZIAEgGTABEqAAgAEBAAAAAAAAAAAAABrrQAFZk3QbZwFQZtgBAA4XzDAAABAQgKlgVesFbTSMM="}
@@ -15,6 +15,6 @@
 00465{"flow_id":1,"flow_packet_id":13,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"ftp_failed.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1574361633,"pkt_ts_usec":74667,"pkt_caplen":92,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":92,"pkt_l4_len":38,"pkt":"9LUv\/K\/wZABqYzXMht1gC5eXACYGQCoADUAAAQADAZIAEgGTABEqAAgAEBAAAAAAAAAAAAABrrQAFZk3QchwFQbPgBgA4XzJAAABAQgKlgV6zFbTThFRVUlUDQo="}
 00479{"flow_id":1,"flow_packet_id":14,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"ftp_failed.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1574361633,"pkt_ts_usec":88560,"pkt_caplen":100,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":100,"pkt_l4_len":46,"pkt":"ZABqYzXM9LUv\/K\/wht1gC1mOAC4GOioACAAQEAAAAAAAAAAAAAEqAA1AAAEAAwGSABIBkwARABWutHAVBs+ZN0HOgBgCAFELAAABAQgKVtNPzpYFeswyMjEgR29vZGJ5ZS4NCg=="}
 00457{"flow_id":1,"flow_packet_id":15,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"ftp_failed.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1574361633,"pkt_ts_usec":88598,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"pkt":"9LUv\/K\/wZABqYzXMht1gC5eXACAGQCoADUAAAQADAZIAEgGTABEqAAgAEBAAAAAAAAAAAAABrrQAFZk3Qc5wFQbdgBAA4XzDAAABAQgKlgV62lbTT84="}
-00620{"flow_event_id":4,"flow_event_name":"guessed","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_tot_l4_data_len":728,"flow_min_l4_data_len":32,"flow_max_l4_data_len":72,"flow_avg_l4_data_len":40,"midstream":0,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","ndpi": {"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download-FileTransfer-FileSharing"},"ftp": {"user":"hello","password":"","auth_failed":1}}
-00506{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_tot_l4_data_len":728,"flow_min_l4_data_len":32,"flow_max_l4_data_len":72,"flow_avg_l4_data_len":40,"midstream":0,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
+00630{"flow_event_id":4,"flow_event_name":"guessed","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":136,"flow_avg_l4_payload_len":7,"midstream":0,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","ndpi": {"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download-FileTransfer-FileSharing"},"ftp": {"user":"hello","password":"","auth_failed":1}}
+00516{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":136,"flow_avg_l4_payload_len":7,"midstream":0,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
 00130{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test"}
author	Toni Uhlig <matzeton@googlemail.com>	2021-05-20 14:55:05 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2021-05-20 14:55:05 +0200
commit	9a1c2d0ea731724edfaca97195c87569e4321681 (patch)
tree	d1371082f38a429a2c491ef918ed2a963936bc9a /test/results/ftp_failed.pcap.out
parent	db39772aa7b10ee6fb9e21db8f44c0f5fca7a1d2 (diff)