Added layer4 payload length bins.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 6 insertions, 6 deletions

diff --git a/test/results/zoom.pcap.out b/test/results/zoom.pcap.out
index cdec9dd9d..a99decab7 100644
--- a/test/results/zoom.pcap.out
+++ b/test/results/zoom.pcap.out
@@ -102,7 +102,7 @@
 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":112,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470165906,"flow_dst_last_pkt_time":1569520470280367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1569520470280367,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}}
 01550{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470280708,"flow_dst_last_pkt_time":1569520470280793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5608,"midstream":0,"thread_ts_usec":1569520470280793,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}}
 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569520470350181,"flow_dst_last_pkt_time":1569520466080774,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"thread_ts_usec":1569520470350181,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjK4AAAAQEICiWc3wRwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="}
-01194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":38469.9,"flow_max":210729,"flow_stddev":59394.9,"c_to_s_min":3,"c_to_s_avg":42592.9,"c_to_s_max":210729,"c_to_s_stddev":64597.3,"s_to_c_min":13,"s_to_c_avg":35074.5,"s_to_c_max":143960,"s_to_c_stddev":54507.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.9,"c_to_s_max":864,"c_to_s_stddev":271.5,"s_to_c_min":60,"s_to_c_avg":1095.4,"s_to_c_max":1506,"s_to_c_stddev":617.8}}}
+01422{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":3,"flow_avg":38469.9,"flow_max":210729,"flow_stddev":59394.9,"c_to_s_min":3,"c_to_s_avg":42592.9,"c_to_s_max":210729,"c_to_s_stddev":64597.3,"s_to_c_min":13,"s_to_c_avg":35074.5,"s_to_c_max":143960,"s_to_c_stddev":54507.0},"pktlen": {"c_to_s_min":54,"c_to_s_avg":202.9,"c_to_s_max":864,"c_to_s_stddev":271.5,"s_to_c_min":60,"s_to_c_avg":1095.4,"s_to_c_max":1506,"s_to_c_stddev":617.8},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]}}}
 01554{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}}
 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520470666966,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520470666966,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1569520470666966,"pkt":"\/\/\/\/\/\/\/\/KDc3AG3ICABFAABI4PAAAEARFPDAqAF1wKgB\/+EV4RUANLyaU3BvdFVkcDAJFTOWktM6lAABAARIlcIDDi3QR5gZLZgtSkZtNr91y8rdz4k="}
@@ -158,7 +158,7 @@
 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":286,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471221044,"flow_dst_last_pkt_time":1569520471255395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569520471255395,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}
 01660{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":291,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471255585,"flow_dst_last_pkt_time":1569520471266033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5536,"midstream":0,"thread_ts_usec":1569520471266033,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}}
 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":302,"source":"zoom.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471399595,"flow_dst_last_pkt_time":1569520467811636,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":113,"pkt_l4_len":79,"thread_ts_usec":1569520471399595,"pkt":"EBMx8Tl2KDc3AG3ICABFAABjAABAAEAGoUnAqAF1PpWYmdRFA+E5lpAkp\/QQcoAYEAA2VgAAAQEICiWc4viZh0dJFwMDACpAXTQxH2s8yyXvpDmREm16+\/VcNt\/x\/vlsIce1k7D8R+clMelpc+AJPCA="}
-01583{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":28227.3,"flow_max":156067,"flow_stddev":40349.6,"c_to_s_min":3,"c_to_s_avg":27877.9,"c_to_s_max":156067,"c_to_s_stddev":37771.0,"s_to_c_min":1,"s_to_c_avg":28651.5,"s_to_c_max":156062,"s_to_c_stddev":43270.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":236.8,"c_to_s_max":1506,"c_to_s_stddev":344.5,"s_to_c_min":66,"s_to_c_avg":688.6,"s_to_c_max":1506,"s_to_c_stddev":655.8}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
+01810{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":1,"flow_avg":28227.3,"flow_max":156067,"flow_stddev":40349.6,"c_to_s_min":3,"c_to_s_avg":27877.9,"c_to_s_max":156067,"c_to_s_stddev":37771.0,"s_to_c_min":1,"s_to_c_avg":28651.5,"s_to_c_max":156062,"s_to_c_stddev":43270.9},"pktlen": {"c_to_s_min":66,"c_to_s_avg":236.8,"c_to_s_max":1506,"c_to_s_stddev":344.5,"s_to_c_min":66,"s_to_c_avg":688.6,"s_to_c_max":1506,"s_to_c_stddev":655.8},"bins": {"c_to_s": [10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0]}},"ndpi": {"flow_risk": {"9": {"risk":"TLS Cert Expired","severity":"High","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1569520471748648,"pkt":"EBMx8Tl2KDc3AG3ICABFAACHYY4AAEARSPnAqAF1bV6gY+PXImEAcwEfAQACfUZNNf\/9ojRJXQ1tO1HolgAAAAAAAAACAHoAKgB6ACoAAABADhc935YCXvuVxCQMI1O\/y\/Bgvpncu9jEece5cy1sdfpDYvCDXrg+TanGp+bzCbMeQN8Pa7V1aoQPcx2bwfanLQAAAAA="}
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
@@ -171,7 +171,7 @@
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":425,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471915269,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471915269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471915269,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":60620,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":442,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939789,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1569520471939789,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA\/uqdAADURuydtXqBjwKgBdSJh7MwAK7AuAgABgEJ0mpHOZDa3wq7Yfnt8kABaDj8AegDRAAAAAAAAAAA="}
 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":443,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1569520471939806,"pkt":"KDc3AG3IEBMx8Tl2CABFAAApuqhAADURuzxtXqBjwKgBdSJh7MwAFUSkAwAAAAF2Ko4UAFoOPwAAAAAA"}
-01332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":28,"flow_avg":10365.7,"flow_max":35562,"flow_stddev":8525.9,"c_to_s_min":4719,"c_to_s_avg":18468.0,"c_to_s_max":32217,"c_to_s_stddev":13749.0,"s_to_c_min":28,"s_to_c_avg":9806.9,"s_to_c_max":35562,"s_to_c_stddev":7734.8},"pktlen": {"c_to_s_min":55,"c_to_s_avg":103.0,"c_to_s_max":149,"c_to_s_stddev":38.4,"s_to_c_min":60,"s_to_c_avg":967.9,"s_to_c_max":1071,"s_to_c_stddev":303.6}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
+01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"flow_min":28,"flow_avg":10365.7,"flow_max":35562,"flow_stddev":8525.9,"c_to_s_min":4719,"c_to_s_avg":18468.0,"c_to_s_max":32217,"c_to_s_stddev":13749.0,"s_to_c_min":28,"s_to_c_avg":9806.9,"s_to_c_max":35562,"s_to_c_stddev":7734.8},"pktlen": {"c_to_s_min":55,"c_to_s_avg":103.0,"c_to_s_max":149,"c_to_s_stddev":38.4,"s_to_c_min":60,"s_to_c_avg":967.9,"s_to_c_max":1071,"s_to_c_stddev":303.6},"bins": {"c_to_s": [1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3}
 00648{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":151,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":151,"pkt_l4_len":117,"thread_ts_usec":1569520473084563,"pkt":"EBMx8Tl2KDc3AG3ICABFAACJ4\/YAAEARxo7AqAF1bV6gY\/EjImEAde5DAQACOkSxT2rBSy0CI5EJ7ghSoQAAAAAAAAACAHoFYgB6BWIAAABAyr1YPP8KZ34wUqB9PR5Zle\/sBvgfAfGBqNzDFPjrnryOYaOvAtAdhsk5Sd978V5OWjrnwByNSAVBXX+sDOwgiv\/\/\/\/8KAA=="}
 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}}
@@ -221,9 +221,9 @@
 ~~ total active/idle flows...: 33/33
 ~~ total timeout flows.......: 0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~~ total memory allocated....: 6367012 bytes
-~~ total memory freed........: 6367012 bytes
-~~ total allocations/frees...: 122612/122612
+~~ total memory allocated....: 6371236 bytes
+~~ total memory freed........: 6371236 bytes
+~~ total allocations/frees...: 122678/122678
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~ json string min len.......: 190 chars
 ~~ json string max len.......: 2387 chars