diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2022-09-24 23:25:33 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2022-09-25 00:54:39 +0200 |
| commit | 2103ee0811e3f606b8129d044e22cd33804e2117 (patch) | |
| tree | 80e76fd406e5f6dbf745ca39fa6d55d85790c530 /test/results/telegram.pcap.out | |
| parent | 36f1786bde2572cf7eb44aa1384b61ecfebdeff3 (diff) | |
Refactored client distributor C API.
* Still not perfect, but the code before was not even able to deal with JSON arrays.
Use common "speaking" function names for all functions in nDPIsrvd.h
* Provide a more or less generic and easy extendable JSON walk function.
* Modified C examples to align with the changed C API.
* c-collectd: Reduced lot's of code duplication by providing mapping tables.
* nDPId: IAT array requires one slot less (first packet has always an IAT of 0).
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'test/results/telegram.pcap.out')
| -rw-r--r-- | test/results/telegram.pcap.out | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/test/results/telegram.pcap.out b/test/results/telegram.pcap.out index c68afacaf..c54fb6369 100644 --- a/test/results/telegram.pcap.out +++ b/test/results/telegram.pcap.out @@ -50,8 +50,8 @@ 00759{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604297208,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":238,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":238,"pkt_l4_len":204,"thread_ts_usec":1588779604297208,"pkt":"AQBeAAD7wJrQLWJ0CABFAADgDXQAAP8RCsDAqAE14AAA+xTpFOkAzL4AAAAAAAADAAMAAAABCF9ob21la2l0BF90Y3AFbG9jYWwAAAwAAQ9fY29tcGFuaW9uLWxpbmvAFQAMAAEMX3NsZWVwLXByb3h5BF91ZHDAGgAMAAHAJQAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AlwCUADAABAAARlAAOC0x1Y2EncyBpUGFkwCXAOwAMAAEAABGUABIPNTAtMzUtMTAtNzAuMSAxwDsAACkFoAAAEZQAEgAEAA4AMeKa0C1idMCa0C1idA=="} 00788{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1588779604297420,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":258,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":258,"pkt_l4_len":204,"thread_ts_usec":1588779604297420,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAMwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QDMXFcAAAAAAAMAAwAAAAEIX2hvbWVraXQEX3RjcAVsb2NhbAAADAABD19jb21wYW5pb24tbGlua8AVAAwAAQxfc2xlZXAtcHJveHkEX3VkcMAaAAwAAcAlAAwAAQAAEZQAEA1MdWNh4oCZcyBpTWFjwCXAJQAMAAEAABGUAA4LTHVjYSdzIGlQYWTAJcA7AAwAAQAAEZQAEg81MC0zNS0xMC03MC4xIDHAOwAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"} 00869{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"telegram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604398986,"flow_dst_last_pkt_time":1588779597291316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":320,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":320,"pkt_l4_len":286,"thread_ts_usec":1588779604398986,"pkt":"jP5XIzfkKDc3AG3ICABFAAEy\/rUAAP8ROBzAqAFNwKgBSxTpFOkBHhkOAACEAAAAAAEAAAAED19jb21wYW5pb24tbGluawRfdGNwBWxvY2FsAAAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AMwDIAIYABAAAAeAATAAAAAMAFCkx1Y2FzLWlNYWPAIcAyABCAAQAAEZQAWBZycEJBPTM5OjJBOjg4OkFDOjQxOkFCCnJwVnI9MTUyLjERcnBIST1mOWM0NmM2ZGQwN2QRcnBITj0zYzVkYzVjZTk1NzgRcnBIQT04Y2E4Y2I3MzFjMWMNTHVjYeKAmXMgaU1hYwxfZGV2aWNlLWluZm\/AHAAQAAEAABGUABoObW9kZWw9aU1hYzExLDMKb3N4dmVycz0xN8BUAAGAAQAAAHgABMCoAU0="} -01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":424,"avg":260106.0,"max":1089013,"stddev":238284.9,"var":56779681792.0,"ent":4.4,"data": [549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193,0]},"pktlen": {"min":142,"avg":198.7,"max":308,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":368,"avg":260092.7,"max":1088510,"stddev":238249.1,"var":56762626048.0,"ent":4.4,"data": [549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380,0]},"pktlen": {"min":162,"avg":218.7,"max":328,"stddev":56.4,"var":3176.8,"ent":5.0,"data": [162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":424,"avg":260106.0,"max":1089013,"stddev":238284.9,"var":56779681792.0,"ent":4.4,"data": [549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193]},"pktlen": {"min":142,"avg":198.7,"max":308,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":368,"avg":260092.7,"max":1088510,"stddev":238249.1,"var":56762626048.0,"ent":4.4,"data": [549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380]},"pktlen": {"min":162,"avg":218.7,"max":328,"stddev":56.4,"var":3176.8,"ent":5.0,"data": [162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1588779606465822,"flow_dst_last_pkt_time":1588779596451825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"thread_ts_usec":1588779606465822,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzGJdAAEARYHrAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGABAmSTUAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} 00918{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":102,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1588779596464729,"flow_src_last_pkt_time":1588779607307651,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":196,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779607307651,"l3_proto":"ip4","src_ip":"192.168.1.53","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_sleep-proxy._udp.local","mdns": {}}} 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":103,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1588779607308336,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":162,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":162,"pkt_l4_len":108,"thread_ts_usec":1588779607308336,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAGwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QBsCTwAAAAAAAEAAQAAAAEMX3NsZWVwLXByb3h5BF91ZHAFbG9jYWwAAAwAAcAMAAwAAQAAEZEAEg81MC0zNS0xMC03MC4xIDHADAAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"} @@ -118,14 +118,14 @@ 00997{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779617174225,"flow_src_last_pkt_time":1588779617174225,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779617174225,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":23174,"dst_port":60723,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617350710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617350710,"pkt":"KDc3AG3I8KNaMBgSCABFAABsUAUAAEARpqrAqAE0wKgBTXr4WoYAWLDM6Td5ePjQrnTyke2EPHu3iQJhxLIf06esu8RwrHmFIT7cHf5ycIamk2yhxwjAfE09exZIgAEDzMDiso7KFMuIe8fjwzyyS3MKiG+Cd3eNuy0="} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617856441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617856441,"pkt":"KDc3AG3I8KNaMBgSCABFAABsRZ4AAEARsRHAqAE0wKgBTXr4WoYAWPxjToIQs5m5XoZB1qDehmfhJomQUeopOlZuJIIaL6qE8BgtmXQ6sqxHJAacGMTU5S5RgUjUPrOpUP\/aPObI3ORz5PRGJjnynufzdcsxdb\/ZTPY="} -01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":658,"avg":118086.8,"max":500928,"stddev":112055.1,"var":12556351488.0,"ent":4.4,"data": [33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393,0]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":57.3,"var":3288.0,"ent":4.9,"data": [82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234]},"bins": {"c_to_s": [0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":658,"avg":118086.8,"max":500928,"stddev":112055.1,"var":12556351488.0,"ent":4.4,"data": [33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":57.3,"var":3288.0,"ent":4.9,"data": [82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234]},"bins": {"c_to_s": [0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1588779618677198,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779618677198,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMg0kAAEAREJTAqAFNVwvNw1qG7TMAOE0OU2RiXNjy8sJRKs8KhnTyEy6Nhnt95vQlharNkBkXr2lvtMgl2dlHhYY4WvPjXQkp"} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1588779619914905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABHqTUAAEARTdLAqAFNwKgBAbgXADUAM25TALgBAAABAAAAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAQ=="} 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1588779619916408,"pkt":"KDc3AG3IAICPmq69CABFAABXwqhAAEAR9E7AqAEBwKgBTQA1uBcAQ5UvALiBgAABAAEAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAcAMAAEAAQAAAAAABMCoAZ0="} 01160{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":59,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":59,"midstream":0,"thread_ts_usec":1588779619916408,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"192.168.1.157"}}} -01622{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42308,"avg":260899.1,"max":1998754,"stddev":472680.0,"var":223426379776.0,"ent":3.6,"data": [176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696,0]},"pktlen": {"min":90,"avg":205.5,"max":282,"stddev":54.5,"var":2971.8,"ent":4.9,"data": [122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234]},"bins": {"c_to_s": [0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}} +01620{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42308,"avg":260899.1,"max":1998754,"stddev":472680.0,"var":223426379776.0,"ent":3.6,"data": [176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696]},"pktlen": {"min":90,"avg":205.5,"max":282,"stddev":54.5,"var":2971.8,"ent":4.9,"data": [122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234]},"bins": {"c_to_s": [0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779625981468,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":355,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":355,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":355,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779625981468,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00990{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":397,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":397,"pkt_l4_len":363,"thread_ts_usec":1588779625981468,"pkt":"\/\/\/\/\/\/\/\/AICPmq69CABFAAF\/jrEAAEAR6r0AAAAA\/\/\/\/\/wBEAEMBa16\/AQEGAN7JmyKFuQAAAAAAAAAAAAAAAAAAAAAAAACAj5quvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBPRP\/j5quvQABAAEfyzfOuCfrPQjbUAB0AQE5AgXcPC1kaGNwY2QtNi4xMC4xOkxpbnV4LTQuOS41Ny12Nys6YXJtdjdsOkJDTTI4MzUMDHBpMy5udG9wLm9yZ5EBATcPAXkhAwYMDxocKjM2Ojt3\/w=="} @@ -205,10 +205,10 @@ 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":753,"source":"telegram.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048873,"flow_dst_last_pkt_time":1588779637682180,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048873,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE8IoAAEARYLjAqAFNW2wMBW32AhkAMMg9L+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/8fmAjwvVRcdw=="} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":754,"source":"telegram.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048996,"flow_dst_last_pkt_time":1588779637712776,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048996,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE3R0AAEARcCfAqAFNW2wQA232AhkAMFmIL+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/13zLCZd4eiw=="} 00735{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":825,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_src_last_pkt_time":1588779638831421,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779638831421,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKuMQAAAERTm\/AqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"} -01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8183,"avg":98621.3,"max":504672,"stddev":137715.2,"var":18965475328.0,"ent":4.0,"data": [38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605,0]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":55.4,"var":3064.0,"ent":4.9,"data": [82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106]},"bins": {"c_to_s": [0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01741{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8183,"avg":98621.3,"max":504672,"stddev":137715.2,"var":18965475328.0,"ent":4.0,"data": [38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":55.4,"var":3064.0,"ent":4.9,"data": [82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106]},"bins": {"c_to_s": [0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779639103009,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779639103009,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":28150,"dst_port":59772,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779639103009,"pkt":"EBMx8Tl2KDc3AG3ICABFAABsKQMAAEARarrAqAFNVwvNw2326XwAWFNj2ajstQcU9VmrWsN2RmlsiodFzsmW0mXr5Gv8o0f2aR9YWQKIE34PAz\/0T4VwEA0DXBRrws2ycCoPovMV6p5YsfJULcJS2cwqBKkU3Xys+SQ="} -01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7087,"avg":113400.4,"max":504936,"stddev":151181.6,"var":22855886848.0,"ent":4.1,"data": [34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617,0]},"pktlen": {"min":74,"avg":157.0,"max":218,"stddev":54.2,"var":2943.0,"ent":4.9,"data": [82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218]},"bins": {"c_to_s": [0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7087,"avg":113400.4,"max":504936,"stddev":151181.6,"var":22855886848.0,"ent":4.1,"data": [34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617]},"pktlen": {"min":74,"avg":157.0,"max":218,"stddev":54.2,"var":2943.0,"ent":4.9,"data": [82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218]},"bins": {"c_to_s": [0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":899,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1588779639832508,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779639832508,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKAckAAAERBWvAqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":915,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1588779640101988,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779640101988,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMml0AAEAR+X\/AqAFNVwvNw2326XwAOMsSsmK\/vWlJHJOqyuLBG8kWaad6RX1I27GljGkLPfHdr93dNQ8yPA7ggZLrS4Zn185b"} 00913{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1129,"source":"telegram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1588779645375046,"flow_dst_last_pkt_time":1588779596465053,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":353,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":353,"pkt_l4_len":319,"thread_ts_usec":1588779645375046,"pkt":"AQBeAAD7eCjKBfrMCABFAAFTiPpAAAERTLfAqAFF4AAA+xTpFOkBP9DmAACEAAAAAAEAAAADEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAAADAABAAAAeAAvEXNvbm9zNzgyOENBMDVGQUNDEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MQX3Nwb3RpZnktY29ubmVjdARfdGNwBWxvY2FsAAAQgAEAABGUAB0LVkVSU0lPTj0xLjAQQ1BhdGg9L3Nwb3RpZnl6YxFzb25vczc4MjhDQTA1RkFDQxBfc3BvdGlmeS1jb25uZWN0BF90Y3AFbG9jYWwAACGAAQAAAHgAHwAAAAAFeBFzb25vczc4MjhDQTA1RkFDQwVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MFbG9jYWwAAAGAAQAAAHgABMCoAUU="} @@ -301,8 +301,8 @@ ~~ total active/idle flows...: 48/48 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6157214 bytes -~~ total memory freed........: 6157214 bytes +~~ total memory allocated....: 6157022 bytes +~~ total memory freed........: 6157022 bytes ~~ total allocations/frees...: 123509/123509 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars |