diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2021-12-15 23:25:32 +0100 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2022-01-20 00:50:38 +0100 |
| commit | 9e07a57566cc45bf92a845d8cee968d72e0f314e (patch) | |
| tree | 8f1a6bfd08bd68a5253fadf3a01beecda77b1c95 /test/results/irc.pcap.out | |
| parent | a35fc1d5ea8570609cc0c8cf6edadc81f8f5bb76 (diff) | |
Major nDPId extension. Sorry for the huge commit.
- nDPId: fixed invalid IP4/IP6 tuple compare
- nDPIsrvd: fixed caching issue (finally)
- added tiny c example (can be used to check flow manager sanity)
- c-captured: use flow_last_seen timestamp from `struct nDPIsrvd_flow`
- README.md update: added example JSON sequence
- nDPId: added new flow event `update` necessary for correct
timeout handling (and other future use-cases)
- nDPIsrvd.h and nDPIsrvd.py: switched to an instance
(consists of an alias/source tuple) based flow manager
- every flow related event **must** now serialize `alias`, `source`,
`flow_id`, `flow_last_seen` and `flow_idle_time` to make the timeout
handling and verification process work correctly
- nDPIsrvd.h: ability to profile any dynamic memory (de-)allocation
- nDPIsrvd.py: removed PcapPacket class (unused)
- py-flow-dashboard and py-flow-multiprocess: fixed race condition
- py-flow-info: print statusbar with probably useful information
- nDPId/nDPIsrvd.h: switched from packet-flow only timestamps (`pkt_*sec`)
to a generic flow event timestamp `ts_msec`
- nDPId-test: added additional checks
- nDPId: increased ICMP flow timeout
- nDPId: using event based i/o if capturing packets from a device
- nDPIsrvd: fixed memory leak on shutdown if remote descriptors
were still connected
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'test/results/irc.pcap.out')
| -rw-r--r-- | test/results/irc.pcap.out | 41 |
1 files changed, 15 insertions, 26 deletions
diff --git a/test/results/irc.pcap.out b/test/results/irc.pcap.out index 78215313e..d4ea23287 100644 --- a/test/results/irc.pcap.out +++ b/test/results/irc.pcap.out @@ -1,34 +1,23 @@ -00471{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"irc.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"idle-scan-period":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":10000,"udp-max-idle-time":180000,"tcp-max-idle-time":7440000,"tcp-max-post-end-flow-time":120000,"max-packets-per-flow-to-send":15,"max-packets-per-flow-to-process":255} -00490{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_first_seen":1387554241634,"flow_last_seen":1387554241634,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15} -00432{"flow_id":1,"flow_packet_id":1,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":634815,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"pkt":"AAAMB6wBABNyxPHhCABFAAA8\/+BAAEAGJjUKtJz5JuVGFLNhH0BpMfDFAAAAAKACOQj\/0AAAAgQFtAQCCAq+wg8lAAAAAAEDAwc="} -00430{"flow_id":1,"flow_packet_id":2,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":665525,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"pkt":"ABNyxPHhANAr0XYACABFAAA8AABAADIGNBYm5UYUCrSc+R9As2GRFS01aTHwxqASFqAOiAAAAgQFtAQCCAowSCUOvsIPJQEDAwY="} -00419{"flow_id":1,"flow_packet_id":3,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":665548,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+FAAEAGJjwKtJz5JuVGFLNhH0BpMfDGkRUtNoAQAHNTYQAAAQEICr7CD0QwSCUO"} -00469{"flow_id":1,"flow_packet_id":4,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":665610,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"pkt":"AAAMB6wBABNyxPHhCABFAABX\/+JAAEAGJhgKtJz5JuVGFLNhH0BpMfDGkRUtNoAYAHMU8AAAAQEICr7CD0QwSCUOVVNFUiB4eHh4eCAraXcgeHh4eHggOlh4eHh4eCBYeHh4DQo="} -00419{"flow_id":1,"flow_packet_id":5,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":695656,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"pkt":"ABNyxPHhANAr0XYACABFAAA0CCBAADIGK\/4m5UYUCrSc+R9As2GRFS02aTHw6YAQAFtTTgAAAQEICjBIJRa+wg9E"} -00443{"flow_id":1,"flow_packet_id":6,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":695673,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":83,"pkt_l4_len":49,"pkt":"AAAMB6wBABNyxPHhCABFAABF\/+NAAEAGJikKtJz5JuVGFLNhH0BpMfDpkRUtNoAYAHMU3gAAAQEICr7CD2IwSCUWTklDSyBtb2xvY2h0ZXN0DQo="} -00504{"flow_id":1,"flow_packet_id":7,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":695929,"pkt_caplen":128,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":128,"pkt_l4_len":94,"pkt":"ABNyxPHhANAr0XYACABFAAByCCFAADIGK78m5UYUCrSc+R9As2GRFS02aTHw6YAYAFuk2AAAAQEICjBIJRa+wg9EOmNhcmQuZnJlZW5vZGUubmV0IE5PVElDRSAqIDoqKiogTG9va2luZyB1cCB5b3VyIGhvc3RuYW1lLi4uDQo="} -00628{"flow_event_id":5,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":7,"flow_first_seen":1387554241634,"flow_last_seen":1387554241695,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":62,"flow_tot_l4_payload_len":114,"flow_avg_l4_payload_len":16,"midstream":0,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","22":"Unsafe Protocol","36":"Clear-text credentials"},"proto":"IRC","breed":"Unsafe","category":"Chat"}} -00419{"flow_id":1,"flow_packet_id":8,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":695943,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+RAAEAGJjkKtJz5JuVGFLNhH0BpMfD6kRUtdIAQAHNSyQAAAQEICr7CD2IwSCUW"} -00488{"flow_id":1,"flow_packet_id":9,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":726130,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"pkt":"ABNyxPHhANAr0XYACABFAABlCCJAADIGK8sm5UYUCrSc+R9As2GRFS10aTHw+oAYAFuqEAAAAQEICjBIJR2+wg9iOmNhcmQuZnJlZW5vZGUubmV0IE5PVElDRSAqIDoqKiogQ2hlY2tpbmcgSWRlbnQNCg=="} -00421{"flow_id":1,"flow_packet_id":10,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":726146,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+VAAEAGJjgKtJz5JuVGFLNhH0BpMfD6kRUtpYAQAHNScwAAAQEICr7CD4AwSCUd"} -00494{"flow_id":1,"flow_packet_id":11,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":780962,"pkt_caplen":120,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":120,"pkt_l4_len":86,"pkt":"ABNyxPHhANAr0XYACABFAABqCCNAADIGK8Um5UYUCrSc+R9As2GRFS2laTHw+oAYAFvOTQAAAQEICjBIJSu+wg+AOmNhcmQuZnJlZW5vZGUubmV0IE5PVElDRSAqIDoqKiogRm91bmQgeW91ciBob3N0bmFtZQ0K"} -00421{"flow_id":1,"flow_packet_id":12,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554241,"pkt_ts_usec":780975,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+ZAAEAGJjcKtJz5JuVGFLNhH0BpMfD6kRUt24AQAHNR+AAAAQEICr7CD7cwSCUr"} -00494{"flow_id":1,"flow_packet_id":13,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554250,"pkt_ts_usec":645455,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"pkt":"ABNyxPHhANAr0XYACABFAABoCCRAADIGK8Ym5UYUCrSc+R9As2GRFS3baTHw+oAYAFsCCQAAAQEICjBILdO+wg+3OmNhcmQuZnJlZW5vZGUubmV0IE5PVElDRSAqIDoqKiogTm8gSWRlbnQgcmVzcG9uc2UNCg=="} -00421{"flow_id":1,"flow_packet_id":14,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554250,"pkt_ts_usec":645480,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+dAAEAGJjYKtJz5JuVGFLNhH0BpMfD6kRUuD4AQAHMmewAAAQEICr7CMlgwSC3T"} -02358{"flow_id":1,"flow_packet_id":15,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"irc.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1387554250,"pkt_ts_usec":647295,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"pkt":"ABNyxPHhANAr0XYACABFAAXcCCVAADIGJlEm5UYUCrSc+R9As2GRFS4PaTHw+oAQAFsv4QAAAQEICjBILdS+wg+3OmNhcmQuZnJlZW5vZGUubmV0IDAwMSBtb2xvY2h0ZXN0IDpXZWxjb21lIHRvIHRoZSBmcmVlbm9kZSBJbnRlcm5ldCBSZWxheSBDaGF0IE5ldHdvcmsgbW9sb2NodGVzdA0KOmNhcmQuZnJlZW5vZGUubmV0IDAwMiBtb2xvY2h0ZXN0IDpZb3VyIGhvc3QgaXMgY2FyZC5mcmVlbm9kZS5uZXRbMzguMjI5LjcwLjIwLzgwMDBdLCBydW5uaW5nIHZlcnNpb24gaXJjZC1zZXZlbi0xLjEuMw0KOmNhcmQuZnJlZW5vZGUubmV0IDAwMyBtb2xvY2h0ZXN0IDpUaGlzIHNlcnZlciB3YXMgY3JlYXRlZCBTdW4gRGVjIDExIDIwMTEgYXQgMjI6MTY6MTAgVVRDDQo6Y2FyZC5mcmVlbm9kZS5uZXQgMDA0IG1vbG9jaHRlc3QgY2FyZC5mcmVlbm9kZS5uZXQgaXJjZC1zZXZlbi0xLjEuMyBET1FSU1phZ2hpbG9wc3d6IENGSUxNUFFTYmNlZmdpamtsbW5vcHFyc3R2eiBia2xvdmVxamZJDQo6Y2FyZC5mcmVlbm9kZS5uZXQgMDA1IG1vbG9jaHRlc3QgQ0hBTlRZUEVTPSMgRVhDRVBUUyBJTlZFWCBDSEFOTU9ERVM9ZUlicSxrLGZsaixDRkxNUFFTY2dpbW5wcnN0eiBDSEFOTElNSVQ9IzoxMjAgUFJFRklYPShvdilAKyBNQVhMSVNUPWJxZUk6MTAwIE1PREVTPTQgTkVUV09SSz1mcmVlbm9kZSBLTk9DSyBTVEFUVVNNU0c9QCsgQ0FMTEVSSUQ9ZyA6YXJlIHN1cHBvcnRlZCBieSB0aGlzIHNlcnZlcg0KOmNhcmQuZnJlZW5vZGUubmV0IDAwNSBtb2xvY2h0ZXN0IENBU0VNQVBQSU5HPXJmYzE0NTkgQ0hBUlNFVD1hc2NpaSBOSUNLTEVOPTE2IENIQU5ORUxMRU49NTAgVE9QSUNMRU49MzkwIEVUUkFDRSBDUFJJVk1TRyBDTk9USUNFIERFQUY9RCBNT05JVE9SPTEwMCBGTkMgVEFSR01BWD1OQU1FUzoxLExJU1Q6MSxLSUNLOjEsV0hPSVM6MSxQUklWTVNHOjQsTk9USUNFOjQsQUNDRVBUOixNT05JVE9SOiA6YXJlIHN1cHBvcnRlZCBieSB0aGlzIHNlcnZlcg0KOmNhcmQuZnJlZW5vZGUubmV0IDAwNSBtb2xvY2h0ZXN0IEVYVEJBTj0kLGFyeHogV0hPWCBDTElFTlRWRVI9My4wIFNBRkVMSVNUIEVMSVNUPUNUVSA6YXJlIHN1cHBvcnRlZCBieSB0aGlzIHNlcnZlcg0KOmNhcmQuZnJlZW5vZGUubmV0IDI1MSBtb2xvY2h0ZXN0IDpUaGVyZSBhcmUgMjIxIHVzZXJzIGFuZCA5MDE2NSBpbnZpc2libGUgb24gMjggc2VydmVycw0KOmNhcmQuZnJlZW5vZGUubmV0IDI1MiBtb2xvY2h0ZXN0IDMxIDpJUkMgT3BlcmF0b3JzIG9ubGluZQ0KOmNhcmQuZnJlZW5vZGUubmV0IDI1MyBtb2xvY2h0ZXN0IDEgOnVua25vd24gY29ubmVjdGlvbihzKQ0KOmNhcmQuZnJlZW5vZGUubmV0IDI1NCBtb2xvY2h0ZXN0IDU0NzQwIDpjaGFubmVscyBmb3JtZWQNCjpjYXJkLmZyZWVub2RlLm5ldCAyNTUgbW9sb2NodGVzdCA6SSBoYXZlIDIzMjQgY2xpZW50cyBhbmQgOCBzZXJ2ZXJzDQo6Y2FyZC5mcmVlbm9kZS5uZXQgMjY1IG1vbG9jaHRlc3QgMjMyNCA5OTI3IDpDdXJyZW50IGxvY2FsIHVzZXJzIDI="} -00501{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":29,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":29,"flow_first_seen":1387554241634,"flow_last_seen":1387554256201,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":7015,"flow_avg_l4_payload_len":241,"midstream":0,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15} -00123{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":29,"source":"irc.pcap","alias":"nDPId-test"} +00437{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"irc.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7460000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1387554241634,"flow_last_seen":1387554241634,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1387554241634,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1387554241634,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1387554241634,"pkt":"AAAMB6wBABNyxPHhCABFAAA8\/+BAAEAGJjUKtJz5JuVGFLNhH0BpMfDFAAAAAKACOQj\/0AAAAgQFtAQCCAq+wg8lAAAAAAEDAwc="} +00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1387554241665,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1387554241665,"pkt":"ABNyxPHhANAr0XYACABFAAA8AABAADIGNBYm5UYUCrSc+R9As2GRFS01aTHwxqASFqAOiAAAAgQFtAQCCAowSCUOvsIPJQEDAwY="} +00454{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1387554241665,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1387554241665,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+FAAEAGJjwKtJz5JuVGFLNhH0BpMfDGkRUtNoAQAHNTYQAAAQEICr7CD0QwSCUO"} +00685{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1387554241634,"flow_last_seen":1387554241695,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":62,"flow_tot_l4_payload_len":114,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1387554241695,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","22":"Unsafe Protocol","36":"Clear-text credentials"},"proto":"IRC","breed":"Unsafe","category":"Chat"}} +00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":29,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":29,"flow_first_seen":1387554241634,"flow_last_seen":1387554256201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":7015,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1387554256201,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00151{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":29,"source":"irc.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 29/29 ~~ skipped flows.............: 0 -~~ total layer4 data length..: 7959 bytes +~~ total layer4 data length..: 7015 bytes ~~ total detected protocols..: 1 ~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930957 bytes -~~ total memory freed........: 1930957 bytes +~~ total memory allocated....: 1931013 bytes +~~ total memory freed........: 1931013 bytes ~~ total allocations/frees...: 35368/35368 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ json string min len.......: 128 chars -~~ json string max len.......: 2363 chars -~~ json string avg len.......: 1210 chars +~~ json string min len.......: 156 chars +~~ json string max len.......: 690 chars +~~ json string avg len.......: 483 chars |